2008 웹 해킹 기술 Top 10

Top Ten Web Hacking Techniques of 2008 (Official)

We searched far and wide collecting as many Web Hacking Techniques published in 2008 as possible -- ~70 in all. These new and innovative techniques were analyzed and ranked based upon their novelty, impact, and pervasiveness. The 2008 competition was exceptionally fierce and our panel of judges (Rich Mogull, Chris Hoff, H D Moore, and Jeff Forristal) had their work cut out for them. For any researcher, or "breaker" if you prefer, simply the act of creating something unique enough to appear on the list is no small feat. That much should be considered an achievement. In the end, ten Web hacking techniques rose head and shoulders above.

Supreme honors go to Billy Rios, Nathan McFeters, Rob Carter, and John Heasman for GIFAR! The judges were convinced their work stood out amongst the field. Beyond industry recognition, they also will receive the free pass to Black Hat USA 2009 (generously sponsored by Black Hat)! Now they have to fight over it. ;)

Congratulations to all!

Coming up at SnowFROC AppSec 2009 and RSA Conference 2009 it will be my great privilege to highlight the results. Each of the top ten techniques will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future -- some of which already have.


Top Ten Web Hacking Techniques of 2008!

1. GIFAR
(Billy Rios, Nathan McFeters, Rob Carter, and John Heasman)

2. Breaking Google Gears' Cross-Origin Communication Model
(Yair Amit)

3. Safari Carpet Bomb
(Nitesh Dhanjani)

4. Clickjacking / Videojacking
(Jeremiah Grossman and Robert Hansen)

5. A Different Opera
(Stefano Di Paola)

6. Abusing HTML 5 Structured Client-side Storage
(Alberto Trivero)

7. Cross-domain leaks of site logins via Authenticated CSS
(Chris Evans and Michal Zalewski)

8. Tunneling TCP over HTTP over SQL Injection
(Glenn Wilkinson, Marco Slaviero and Haroon Meer)

9. ActiveX Repurposing
(Haroon Meer)

10. Flash Parameter Injection
(Yuval Baror, Ayal Yogev, and Adi Sharabani)


The List

1. CUPS Detection
2. CSRFing the uTorrent plugin
3. Clickjacking / Videojacking
4. Bypassing URL Authentication and Authorization with HTTP Verb Tampering
5. I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
6. Safari Carpet Bomb
7. Flash clipboard Hijack
8. Flash Internet Explorer security model bug
9. Frame Injection Fun
10. Free MacWorld Platinum Pass? Yes in 2008!
11. Diminutive Worm, 161 byte Web Worm
12. SNMP XSS Attack (1)
    
13. Res Timing File Enumeration Without JavaScript in IE7.0
14. Stealing Basic Auth with Persistent XSS
15. Smuggling SMTP through open HTTP proxies
16. Collecting Lots of Free 'Micro-Deposits'
17. Using your browser URL history to estimate gender
18. Cross-site File Upload Attacks
19. Same Origin Bypassing Using Image Dimensions
20. HTTP Proxies Bypass Firewalls
21. Join a Religion Via CSRF
22. Cross-domain leaks of site logins via Authenticated CSS
23. JavaScript Global Namespace Pollution
24. GIFAR
25. HTML/CSS Injections - Primitive Malicious Code
26. Hacking Intranets Through Web Interfaces
27. Cookie Path Traversal
28. Racing to downgrade users to cookie-less authentication
29. MySQL and SQL Column Truncation Vulnerabilities
30. Building Subversive File Sharing With Client Side Applications
31. Firefox XML injection into parse of remote XML
32. Firefox cross-domain information theft (simple text strings, some CSV)
33. Firefox 2 and WebKit nightly cross-domain image theft
34. Browser's Ghost Busters
35. Exploiting XSS vulnerabilities on cookies
36. Breaking Google Gears' Cross-Origin Communication Model
37. Flash Parameter Injection
38. Cross Environment Hopping
39. Exploiting Logged Out XSS Vulnerabilities
40. Exploiting CSRF Protected XSS
41. ActiveX Repurposing, (1, 2)
42. Tunneling tcp over http over sql-injection
43. Arbitrary TCP over uploaded pages
44. Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
45. JavaScript Code Flow Manipulation
46. Common localhost dns misconfiguration can lead to "same site" scripting
47. Pulling system32 out over blind SQL Injection
48. Dialog Spoofing - Firefox Basic Authentication
49. Skype cross-zone scripting vulnerability
50. Safari pwns Internet Explorer
51. IE "Print Table of Links" Cross-Zone Scripting Vulnerability
52. A different Opera
53. Abusing HTML 5 Structured Client-side Storage
54. SSID Script Injection
55. DHCP Script Injection
56. File Download Injection
57. Navigation Hijacking (Frame/Tab Injection Attacks)
58. UPnP Hacking via Flash
59. Total surveillance made easy with VoIP phone
60. Social Networks Evil Twin Attacks
61. Recursive File Include DoS
62. Multi-pass filters bypass
63. Session Extending
64. Code Execution via XSS (1)
65. Redirector’s hell
66. Persistent SQL Injection
67. JSON Hijacking with UTF-7
68. SQL Smuggling
69. Abusing PHP Sockets (1, 2)
70. CSRF on Novell GroupWise WebAccess