Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year: 2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)
The Top Ten
- CRIME (1, 2, 3 4) by Juliano Rizzo and Thai Duong
- Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3, 4, 5)
- Chrome addon hacking (2, 3, 4, 5)
- Bruteforce of PHPSESSID
- Blended Threats and JavaScript
- Cross-Site Port Attacks
- Permanent backdooring of HTML5 client-side application
- CAPTCHA Re-Riding Attack
- XSS: Gaining access to HttpOnly Cookie in 2012
- Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
Honorable Mention
11. Using WordPress as a intranet and internet port scanner
12. .Net Cross Site Scripting – Request Validation Bypassing (1)
13. Bruteforcing/Abusing search functions with no-rate checks to collect data
14. Browser Event Hijacking (2, 3)
15. Bypassing Flash’s local-with-filesystem Sandbox Process oversight. Due to the original discovery date, January 4th, 2011, the technique should not have been included in this years list. How the winners are selected…
Phase 2: Panel of Security Experts [CLOSED]
Judges: Ryan Barnett, Robert Auger, Robert Hansen (CEO, Falling Rock Networks) Dinis Cruz, Jeff Williams (CEO, Aspect Security), Peleus Uhley, Romain Gaucher (Lead Researcher, Coverity), Giorgio Maone, Chris Wysopal, Troy Hunt, Ivan Ristic (Director of Engineering, Qualys), and Steve Christey (MITRE).
Phase 1: Open community voting for the final 15 [CLOSED]
Each attack technique (listed alphabetically) receives a certain amount of points depending on how highly the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top fifteen overall.
- Chrome addon hacking (2, 3, 4, 5)
- Browser Event Hijacking (2, 3)
- Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
- Cross-Site Port Attacks
- CRIME (2)
- Blended Threats and JavaScript
- Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3)
- Bruteforcing/Abusing search functions with no-rate checks to collect data
- Permanent backdooring of HTML5 client-side application
- .Net Cross Site Scripting – Request Validation Bypassing (1)
- Bruteforce of PHPSESSID
- XSS: Gaining access to HttpOnly Cookie in 2012
- CAPTCHA Re-Riding Attack
- Bypassing Flash’s local-with-filesystem Sandbox
- Using WordPress as a intranet and internet port scanner
Prizes
1) The winner of this years top ten will receive an updated Web security book library! If any really good books have been recently published and missing, please let me know. I’ll add it! Violent Python, Clickjacking und UI-Redressing,Web Application Defender’s Cookbook, Seven Deadliest Web Application Attacks, A Bug Hunter’s Diary, The Tangled Web, The Web Application Hacker’s Handbook, Web Application Obfuscation, XSS Attacks, Hacking Web Apps. 2) After the open community voting process, two survey respondents will be chosen at random and given a $50 Amazon gift card.
Complete 2012 List
- CSRF token disclosure via iFRAME and CAPTCHA trickery (2)
- Parasitic computing using ‘Cloud Browsers’ (2)
- Browser Event Hijacking (2, 3)
- Cross-Site Port Attacks
- How I Hacked StackOverflow
- Visitor Tracking Without Cookies (or How To Abuse HTTP 301s)
- The “I Know…” series. What websites know about you
- Hyperlink Spoofing and the Modern Web
- Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3)
- Using the HTML5 Fullscreen API for Phishing Attacks
- Steam Browser Protocol Insecurity
- Content Smuggling
- Using HTTP headers pollution for mobile networks attacks (2)
- CRIME (2)
- Top-Level Universal XSS
- Blended Threats and JavaScript
- Exploiting XSS in Ajax Web Applications
- .Net Cross Site Scripting – Request Validation Bypassing
- Stuffing Javascript into DNS names
- Clickjacking Rootkits for Android (2)
- How Facebook lacked X-Frame-Options and what I did with it
- IE9 Self-XSS Blackbox Protection bypass
- Bruteforce of PHPSESSID
- File System API with HTML5 – Juice for XSS
- How to upload arbitrary file contents cross-domain
- Bypassing HTTP Basic Authenitcation in PHP Applications (** potential rediscovery of: HTExploit – Bypassing .htaccess restrictions **)
- XSS: Gaining access to HttpOnly Cookie in 2012
- CSS-Only Clickjacking
- X-Frame-Options (XFO) Detection from Javascript
- Fun with data: URLs
- Browsers Anti-XSS methods in ASP (classic) have been defeated!
- Yes, you can have fun with downloads
- Stiltwalker, exploits weaknesses in the audio version of reCAPTCHA
- CSS :visited may be a bit overrated
- “ASPXErrorPath in URL” Technique in Scanning a .Net Web Application
- Cursorjacking again
- Chrome addon hacking (2, 3, 4, 5)
- Jumping out of Touch Screen Kiosks
- Using POST method to bypass IE-browser protected XSS
- Password extraction from Ajax/DOM/HTML5 routine
- Random Number Security in Python
- Bypassing Flash’s local-with-filesystem Sandbox
- RCE through mangled WAR upload into Tomcat App Manager using PUT-in-Gopher-over-XXE (1)
- Using WordPress as a intranet and internet port scanner
- UI Redressing Mayhem: Firefox 0-Day And The LeakedIn Affair
- UI Redressing Mayhem: HTTPOnly Bypass PayPwn Style
- NTLM Relay via HTTP to internet or stealing windows user hashes while using java client
- Bypassing CAPTCHAs by Impersonating CAPTCHA Providers (1,2)
- CAPTCHA Re-Riding Attack
- Attacking CAPTCHAs for Fun and Profit
- Permanent backdooring of HTML5 client-side application [Apture example]
- Cracking Ruby on Rails Sessions
- Bruteforcing/Abusing search functions with no-rate checks to collect data
- Cross Context Scripting from within the Browser (1)
- Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
- Same Origin Spoofing to Attack Client Certificate Sessions
Definitely, SSRF
– [started] http://media.blackhat.com/bh-us-12/Briefings/Polyakov/BH_US_12_Polyakov_SSRF_Business_WP.pdf
– [continued] http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities
Including (but not limited to) messing with memcached using SSRF
Thanks @Andrew. How’s that look at #9?
Great! But I’d rename it to reflect the point of the hack. Smth like “P0wning via SSRF (memcached, php-fastcgi, … you name it)” or something like that.
If you take my meaning
Cross Context Scripting attacks and exploitation
List of advisories and exploits below, very cool attacks:
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-rss-rce.html
http://blog.malerisch.net/2012/12/avant-browser-same-of-origin-policy.html
@Jack: while not taking away from the coolness of the research, but these seems to be vulnerability instances, rather than new methods of attack. If you can help me identify an area where a new “technique” is discussed, I’d be happy to add it.
@Jeremiah – thanks for the reply – I see your point – only reason I submitted is for the exploit angle demonstrated (which seems new to me in the Maxthon advisories): xcs from within the browser itself (not via vulnerable extensions or addons) into a trusted zone and misuse of privileged APIs to achieve code execution.
@Jack Oh I see. Hard for me to know for certain if “xcs from within the browser itself” is novel, but definitely is interesting for inclusion on that basis. Seems this is more than a well-worn vuln instance. I added your Maxthon advisory links!
SSRF 2.0 http://erpscan.com/wp-content/uploads/2012/11/SSRF.2.0.poc_.pdf with collection of different XML formats where it is possible to forge SSRF request
@Alexander: Added it as a reference next to “Pwning via SSRF (memcached, php-fastcgi, etc)”. That correct?
The same topic but different paper that was not listed in current list. Also this is about SSRF too http://erpscan.com/press-center/blog/ssrf-via-ws-adressing/
“Current 2011 List” should probably be 2012. just an observation.
@an_animal: right you are, thank you!
AJAX Hammer – Harnessing AJAX for Dynamic CSRF
http://hasc-research.googlecode.com/files/AJAX%20Hammer%20-%20Harnessing%20AJAX%20for%20(Direct)%20Dynamic%20CSRF.pdf
http://www.youtube.com/watch?v=JHJ1WW4Fcvw
@Oren: Added. Thank you!
Thanks for having mentioned my blog post about bypassing basic auth for PHP applications, in your blog.
Paolo
@Paolo. You are very welcome.
RCE through mangled WAR upload into Tomcat App Manager using PUT-in-Gopher-over-XXE
(see http://www.slideshare.net/andrewpetukhov/no-locked-doors-no-windows-barred-hacking-openam-infrastructure/11 and demo http://www.youtube.com/watch?v=ZnsFhGYqI3g)
Added. Thank you @Travis!
CRIME is even better than BEAST. HTTP/2.0 is vulnerable . Now it’s clear for everybody: compression can break encryption.
Using WordPress as a intranet and internet port scanner – https://github.com/FireFart/WordpressPingbackPortScanner
Added. Thanks @Ryan.
UI Redressing attack – iframe-to-iframe extraction method
http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-firefox-0day-and.html
http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-httponly-bypass_19.html
Cheers!
Thanks @ikkie, added them both!
Attacking OData http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pentesters-guide-to-hacking-odata.pdf
@Gursev Are they new “attack techniques” discussed? If so, please point out where so I can have a look see.
Hey Jeremiah,
Starting page 12, the whitepaper discusses OData penetration testing methodology. However, a few interesting techniques can be found at page 13 of the document:
1. HTTP Verb Tunneling
2. Navigation Properties for Additional Data Access
3. System Query Options ($select)
Thank you for your time.
Regards,
Gursev
@Gursev thanks. exactly what I needed. added the reference with those names so others know what exactly to look for.
Attacking CAPTCHAs for Fun and Profit — Several new attacks on CAPTCHAs
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-attacking-captchas-for-fun-profit.pdf
@Gursev added!
CAPTCHA Re-Riding attack
http://gursevkalra.blogspot.com/2012/03/captcha-re-riding-attack.html
Hey Jeremiah,
Do you have any questions I can answer here?
Regards,
Gursev
@Gursev no questions. thanks for the submission. added!
Bypassing CAPTCHAs by Impersonating CAPTCHA Providers (Whitepaper and Tool)
Whitepaper: http://www.mcafee.com/us/resources/white-papers/foundstone/wp-bypassing-captchas.pdf
Tool: https://github.com/OpenSecurityResearch/clipcaptcha
Blog: http://gursevkalra.blogspot.com/2012/10/bypassing-captchas-by-impersonating.html
Hey Jeremiah,
Do you have any questions I can answer for the “Bypassing CAPTCHAs by Impersonating CAPTCHA Providers” submission?
Regards,
Gursev
@Gursev no questions. sorry for the delay, holiday slow down. Added!
No problem, thank you.
This just got posted the other day https://isecpartners.com/news-events/news/2012/december/an-attack-on-ssl-client-certificates.aspx
@Max: How do I “name” this? The title of the post is a bit generic.
@Jeremiah: I’m really bad at naming things. If put in a vise, maybe “Same Origin Spoofing to Attack Client Certificate Sessions”.
@Tom works for me. thank you!
NTLM Relay via HTTP to internet or stealing windows user hashes while using java client. on Windows
http://erpscan.com/press-center/smbrelay-bible-7-ssrf-java-windows-love/
@sh2kerr Thank you for your research and submission. Added!
Please add Hacking Web Apps by Mike Shema to your list of books in the security library: http://www.amazon.com/Hacking-Web-Apps-Preventing-Application/dp/159749951X
@Robert You got it!
So how do we vote? or when does voting starts? thanks.
@an_animal working on the creating the survey now, it’ll be through SurveyMonkey as usual. I’ll probably start open voting late next week after I make sure all the entries and in and listed properly.
SSRF techniques are awesome. Hence, i vote for Pwning via SSRF (memcached, php-fastcgi, etc).
These attacks rise a wide range of possibilities to compromise various systems.
Free Hosts DNS Hijacking Vulnerability
Research and POC –>
http://www.cyber-n.com/2012/12/free-hosting-sites-vulnerable-to-dns.html
AMF Testing Made Easy
http://www.slideshare.net/ikkisoft/amf-testing-made-easy-deepsec-2012
http://blazer.googlecode.com/files/BH2012_LucaCarettoni_WP_FINAL.pdf
The tool is here: http://code.google.com/p/blazer/
@Karl What are the “new” attack techniques being discussed here?
It’s Luca here, I am the author of Blazer.
The outcome of my research is a novel testing approach that allows to build custom Flex/AMF messages and perform gray-box testing in a matter of minutes. This consents to improve the coverage and the effectiveness of fuzzing efforts targeting complex applications.
So, it’s a new way to find vulnerabilities in Flex/AMF-based web applications. It’s neither a new class of vulnerabilities nor a new exploitation technique. Thus, I am not sure if it is relevant here.
Anyway, happy new year!
Luca C.
UI Redressing Mayhem: Identification Attacks and UI Redressing on Google Chrome – http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-identification.html
@SuperF while your research is definitely interesting, this appears to be more of a vulnerability instance rather than a “new attack technique” discussed. If this is not the case, please let me know why, and quickly.
http://blog.nibblesec.org/2012/12/ui-redressing-mayhem-identification.html
Identification Attacks + UI Redressing exploiting under Google Chrome.
Thanks.
@daath while your research is interesting, as the earlier link, this appears to be more of a vulnerability instance rather than a “new attack technique” discussed. If this is not the case, please let me know why.
Jeremiah,
the Google Support PoC is a an istance of the iframe-to-iframe extraction method – that applied as an identification attack – while the Amazon/Chrome hack is a “new” way to perform content extration against the Google Chrome web browser (it’s a sort of private-to-public same-origin “content extraction” method).
Thanks,
Luca
Missing Tavis Ormandy’s off the cuff Ubisoft ActiveX:
http://seclists.org/fulldisclosure/2012/Jul/375
Brilliant because he buys a new game and has more fun reversing the delivery mechanism. Precurser to Revuln’s Steam research in my opinion!
[...] Μπορείτε να διαβάσετε αναλυτικά τον τρόπο συμμετοχής σας στην ψηφοφορία που έχουν ήδη online [εδώ] [...]
[...] View the full list of attacks… [...]
And what about final decision? When we can look at it?
Still working on the final list. It’s a bit challenging and I’m traveling at the moment. Sorry for the delay.
http://homakov.blogspot.com/2013/02/hacking-with-xss-auditor.html
http://homakov.blogspot.com/2012/07/saferweb-most-common-oauth2.html
wdyt?
There is a web page with pictures of my wife, stolen from a memory stick some years ago, that we want to remove the pictures. This seems to be very difficult, no contact with the webmaster of the site is possible. Anyone who can help us? Maybe hacking the website and remove the pictures that has been put there without our permission? Please contact me/us….
Very soon this web page will be famous among all blogging people, due to it’s good articles or reviews
[...] была опубликована финальная десятка за 2012 год. Пальма первенства [...]
[...] was honored that Jeremiah Grossman asked me to serve again on the panel for the Top 10 Web Hacking Techniques of 2012. During the process, I get to take a look at the year’s most interesting research in greater [...]
[...] has recently published the Top 10 Hacking Techniques of 2012. It is the seventh time that security experts led by Jeremiah Grossman choose the most interesting [...]