[Owasp-natal] Top Ten Web Hacking Techniques of 2012

Noilson Caio caiogore em gmail.com
Terça Dezembro 11 18:56:13 UTC 2012


Currently in the process of collecting submissions. If you know of an
attack technique published in 2012 that should be added, please post a link
to the research in the comments. Every year the security community produces
a stunning amount of new Web hacking techniques that are published in
various white papers, blog posts, magazine articles, mailing list emails,
conference presentations, etc. Within the thousands of pages are the latest
ways to attack websites, Web browsers, Web proxies, and their mobile
platform equivilents. Beyond individual vulnerabilities with CVE numbers or
system compromises, here we are solely focused on new and creative methods
of Web-based attack. Now it its seventh year, The Top Ten Web Hacking
Techniques list encourages information sharing, provides a centralized
knowledge-base, and recognizes researchers who contribute excellent work.
Past Top Tens and the number of new attack techniques discovered in each
year: 2006<http://jeremiahgrossman.blogspot.com/2006/12/top-10-web-hacks-of-2006.html>(65),
2007<http://jeremiahgrossman.blogspot.com/2008/01/top-ten-web-hacks-of-2007-official.html>(83),
2008<http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html>(70),
2009<http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html>(82),
2010<http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html>(69),
2011<https://blog.whitehatsec.com/vote-now-top-ten-web-hacking-techniques-of-2011/>(51)

*Current 2012 List*

   - CSRF token disclosure via iFRAME and CAPTCHA
trickery<http://www.computerworld.com/s/article/9234282/Attackers_can_abuse_Yahoo_developer_feature_to_steal_user_emails_other_data>
    (2<http://threatpost.com/en_us/blogs/bug-hunter-finds-blended-threat-targeting-yahoo-web-site-120312>
   )
   - Parasitic computing using ‘Cloud
Browsers’<http://news.ncsu.edu/releases/wms-enck-cloud-browsers/>
    (2<http://www.darkreading.com/cloud-security/167901092/security/news/240142718/new-hack-abuses-cloud-based-browsers.html>
   )
   - Browser Event
Hijacking<http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/>
    (2<http://arstechnica.com/security/2012/12/how-script-kiddies-can-hijack-your-browser-to-steal-your-password/>,
   3 <http://h43z.blogspot.com/2012/11/whats-real-and-whats-not.html>)
   - Cross-Site Port
Attacks<http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html>
   - How I Hacked
StackOverflow<http://blog.ircmaxell.com/2012/11/anatomy-of-attack-how-i-hacked.html>
   - Visitor Tracking Without Cookies (or How To Abuse HTTP
301s)<http://www.scatmania.org/2012/04/24/visitor-tracking-without-cookies/>
   - The “I Know…” series. What websites know about
you<http://blog.whitehatsec.com/introducing-the-i-know-series/>
   - Hyperlink Spoofing and the Modern
Web<http://blogs.msdn.com/b/dross/archive/2012/04/26/hyperlink-spoofing-and-the-modern-web.aspx>
   - Pwning via SSRF (memcached, php-fastcgi,
etc)<http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf>
    (2<http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities>
   )
   - Using the HTML5 Fullscreen API for Phishing
Attacks<http://feross.org/html5-fullscreen-api-attack/>
   - Steam Browser Protocol
Insecurity<http://revuln.com/files/ReVuln_Steam_Browser_Protocol_Insecurity.pdf>
   - Content Smuggling<http://xs-sniper.com/blog/2012/10/11/content-smuggling/>
   - Using HTTP headers pollution for mobile networks
attacks<http://news.softpedia.com/news/Users-of-Mobile-Portals-Exposed-to-HTTP-Header-Pollution-Attacks-Expert-Finds-293540.shtml>
    (2 <http://blog.m-sec.net/2012/new-gsm-vulnerability/>)
   - CRIME<http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512>
    (2<http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/>
   )
   - Top-Level Universal
XSS<https://superevr.com/blog/2012/top-level-universal-xss/>
   - Blended Threats and
JavaScript<https://superevr.com/blog/2012/blended-threats-and-javascript/>
   - Exploiting XSS in Ajax Web
Applications<https://superevr.com/blog/2012/exploiting-xss-in-ajax-web-applications/>
   - .Net Cross Site Scripting – Request Validation
Bypassing<http://www.quotium.com/research/advisories/XSS-NetRequestValidation.php>
   - Stuffing Javascript into DNS
names<http://www.skullsecurity.org/blog/2010/stuffing-javascript-into-dns-names>
   - Clickjacking Rootkits for
Android<https://www.youtube.com/watch?v=RxpMPrqnxC0>
    (2 <http://web.ncsu.edu/abstract/technology/wms-jiang-clickjack/>)
   - How Facebook lacked X-Frame-Options and what I did with
it<http://blog.kotowicz.net/2012/08/how-facebook-lacked-x-frame-options-and.html>
   - IE9 Self-XSS Blackbox Protection
bypass<http://soroush.secproject.com/blog/2012/08/ie9-self-xss-blackbox-protection-bypass/>
   - Bruteforce of
PHPSESSID<http://blog.ptsecurity.com/2012/08/not-so-random-numbers-take-two.html>
   - File System API with HTML5 – Juice for
XSS<http://shreeraj.blogspot.com/2012/08/file-system-api-with-html5-juice-for-xss.html>
   - How to upload arbitrary file contents
cross-domain<http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html>
   - Bypassing HTTP Basic Authenitcation in PHP
Applications<http://armoredcode.com/blog/bypassing-basic-authentication-in-php-applications/>
   - XSS: Gaining access to HttpOnly Cookie in
2012<http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html>
   - CSS-Only Clickjacking<http://jsfiddle.net/gcollazo/UMyEm/embedded/result/>
   - X-Frame-Options (XFO) Detection from
Javascript<http://blog.whitehatsec.com/x-frame-options-xfo-detection-from-javascript/>
   - Fun with data:
URLs<http://blog.kotowicz.net/2012/04/fun-with-data-urls.html>
   - Browsers Anti-XSS methods in ASP (classic) have been
defeated!<http://soroush.secproject.com/blog/2012/06/browsers-anti-xss-methods-in-asp-classic-have-been-defeated/>
   - Yes, you can have fun with
downloads<http://lcamtuf.blogspot.com/2012/05/yes-you-can-have-fun-with-downloads.html>
   - Stiltwalker, exploits weaknesses in the audio version of
reCAPTCHA<http://www.dc949.org/projects/stiltwalker/>
   - CSS :visited may be a bit
overrated<http://lcamtuf.blogspot.com/2011/12/css-visited-may-be-bit-overrated.html>
   - “ASPXErrorPath in URL” Technique in Scanning a .Net Web
Application<http://soroush.secproject.com/blog/2012/06/aspxerrorpath-in-url-technique-in-scanning-a-net-web-application/>
   - Cursorjacking
again<http://blog.kotowicz.net/2012/01/cursorjacking-again.html>
   - Chrome addon
hacking<http://blog.kotowicz.net/2012/02/intro-to-chrome-addons-hacking.html>
    (2<http://blog.kotowicz.net/2012/02/chrome-addons-hacking-want-xss-on.html>,
   3<http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html>,
   4<http://blog.kotowicz.net/2012/07/xss-chef-chrome-extension-exploitation.html>,
   5<http://blog.kotowicz.net/2012/09/owning-system-through-chrome-extension.html>
   )
   - Jumping out of Touch Screen
Kiosks<http://seckb.yehg.net/2012/09/jumping-out-of-touch-screen-kiosks.html>
   - Using POST method to bypass IE-browser protected
XSS<http://seckb.yehg.net/2012/06/using-post-method-to-bypass-ie-browser.html>
   - Password extraction from Ajax/DOM/HTML5
routine<http://shreeraj.blogspot.com/2012/01/password-extraction-from-ajaxdomhtml5.html>
   - Random Number Security in
Python<http://blog.ptsecurity.com/2012/10/random-number-security-in-python.html>
   - Bypassing Flash’s local-with-filesystem
Sandbox<http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/>


 *Phase 1: Open community voting for the final 20 [Jan, 2013]*
Each entry (listed alphabetically) get a certain amount of points depending
on how highly they are individually ranked in each ballot. For example, an
each entry in position #1 will be given 20 points, position #2 will get 19
point, position #3 gets 18 points, and so on down to 1 point. At the end
all points from all ballots will be tabulated to ascertain the top twenty
overall. *Phase 2: Panel of Security Experts **[Jan, 2013]*
>From the result of the open community voting, the top twenty Web Hacking
Techniques will be voted upon by panel of security experts. Using the exact
same voting process as phase 1, the judges will rank the final twenty based
of novelty, impact, and overall pervasiveness. Once tabulation is
completed, we’ll have the Top Ten Web Hacking Techniques of 2012!
 Filed Under: Uncategorized<http://blog.whitehatsec.com/category/uncategorized/>


 *About Jeremiah Grossman*

Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat
Security, where he is responsible for Web security R&D and industry
outreach. Over the last decade, Mr. Grossman has written dozens of
articles, white papers, and is a published author. His work has been
featured in the Wall Street Journal, Forbes, NY Times and hundreds of other
media outlets around the world.

As a well-known security expert and industry veteran, Mr. Grossman has been
a guest speaker on six continents at hundreds of events including TED,
BlackHat Briefings, RSA, SANS, and others. He has been invited to guest
lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW
Madison, and UCLA. Mr. Grossman is also a co-founder of the Web Application
Security Consortium (WASC) and previously named one of InfoWorld's Top 25
CTOs.

He serves on the advisory board of two hot start-ups, Risk I/O and SD
Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding
WhiteHat, Mr. Grossman was an information security officer at Yahoo!


-- 
Noilson Caio Teixeira de Araújo
Linux Professional Institute Certification  2 - LPI000182893
ITV3F ITIL Foundation Certificate in IT Service Management (Syllabus 2011)
- EXIN063638
Novell Certified Linux Administrator (CLA) - 10111916
Novell Data Center Technical Specialist

http://ncaio.ithub.com.br
http://br.linkedin.com/in/ncaio
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20121211/30fdd986/attachment.html>


More information about the Owasp-natal mailing list