[Owasp-brazilian] Calling all Researchers! Send in the Top Web Hacking Techniques of 2008

Sp0oKeR spooker at gmail.com
Tue Jan 27 06:29:20 EST 2009

Acho que do interesse geral =)

Enviado para você por Sp0oKeR através do Google Reader: Calling all
Researchers! Send in the Top Web Hacking Techniques of 2008 via
Jeremiah Grossman de Jeremiah Grossman em 26/01/09 It's time once again
to create the Top Ten Web Hacking Techniques of the past year. Every
year Web security produces a plethora of new and extremely clever
hacking techniques (loosely defined, not specific incidents), many of
which are published in hard to find locations. 2008 was no different.
As we've done for the past two years, we're looking for the best of the
best. This effort serves as a way to create a centralized community
reference and recognize those exceptional researchers who have
contributed to our collective knowledge.

This year is special, because the researcher who places #1 will not
only receive praise amongst his peers, but also receive one free pass
to attend the BlackHat USA Briefings 2009! Over $1,000 (US) value.
Generously sponsored by BlackHat. Winners will be chosen by a panel of
judges (Rich Mogull, Chris Hoff, HD Moore, Jeff Forristal) on the basis
of novelty, impact, and pervasiveness.

We’re also going to need your help. Below we’re building the living
list of everything found so far. If anything is missing, and we’re
positive there is because last year had over 80, we’d appreciate it if
you could post a comment containing the link. Thank you and good luck!

The List

- Cross-Site Printing
- CUPS Detection
- CSRFing the uTorrent plugin
- Clickjacking / Videojacking
- Bypassing URL Authentication and Authorization with HTTP Verb
- I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
- Safari Carpet Bomb
- Flash clipboard Hijack
- Flash Internet Explorer security model bug
- Frame Injection Fun
- Free MacWorld Platinum Pass? Yes in 2008!
- Diminutive Worm, 161 byte Web Worm
- SNMP XSS Attack
- Res Timing File Enumeration Without JavaScript in IE7.0
- Stealing Basic Auth with Persistent XSS
- Smuggling SMTP through open HTTP proxies
- Collecting Lots of Free 'Micro-Deposits'
- Using your browser URL history to estimate gender
- Cross-site File Upload Attacks
- Same Origin Bypassing Using Image Dimensions
- HTTP Proxies Bypass Firewalls
- Join a Religion Via CSRF
- Cross-domain leaks of site logins via Authenticated CSS
- JavaScript Global Namespace Pollution
- HTML/CSS Injections - Primitive Malicious Code
- Hacking Intranets Through Web Interfaces
- Cookie Path Traversal
- Racing to downgrade users to cookie-less authentication
- MySQL and SQL Column Truncation Vulnerabilities
- Building Subversive File Sharing With Client Side Applications
- Firefox XML injection into parse of remote XML
- Firefox cross-domain information theft (simple text strings, some CSV)
- Firefox 2 and WebKit nightly cross-domain image theft
- Browser's Ghost Busters
- Exploiting XSS vulnerabilities on cookies
- Breaking Google Gears' Cross-Origin Communication Model
- Flash Parameter Injection
- Cross Environment Hopping
- Exploiting Logged Out XSS Vulnerabilities
- Exploiting CSRF Protected XSS
- ActiveX Repurposing, (1, 2)

WhiteHat Security is a leading provider of web application security
services. WhiteHat Sentinel, the company’s flagship service, provides
continuous web applications vulnerability assessment and management.

Coisas que você pode fazer a partir daqui:
- Inscrever-se no Jeremiah Grossman usando o Google Reader
- Comece a usar o Google Reader para manter-se facilmente atualizado
com todos os seus sites favoritos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-brazilian/attachments/20090127/c4f1c1b1/attachment.html 

More information about the Owasp-brazilian mailing list