Top Ten Internet Hack Techniques of 2010

Monday, January 24, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

Black Hat, OWASP and White Hat Security have released their picks for the top ten web hacking techniques of 2010.

Details of the techniques will be presented at the IT-Defense 2011 conference in Germany in February.

Judging Panel: Ed Skoudis, Girogio Maone, Caleb Sima, Chris Wysopal, Jeff Williams, Charlie Miller, Dan Kaminsky, Steven Christey, and Arian Evans. 

A summary of the top ten list is as follows:

1. Padding Oracle Crypto Attack -- The hack takes advantage of how Microsoft's Web framework ASP.NET protects AES encryption cookies...

2. Evercookie -- This enables a Java script to create cookies that hide in eight different places within a browser, making it difficult to scrub them...

3. Hacking Autocomplete -- A malicious Web site can force the browser to fill in personal data by tapping various data stored on the victim's computer...

4. Attacking HTTPS with Cache Injection -- Injection of malicious Java script libraries into a browser cache enables attackers to compromise Web sites protected by SSL...

5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution -- Gets around cross site request forgery defenses and tricks victims into revealing their e-mail IDs. Using these, the attackers can reset the victim's passwords and gain access to their accounts. (Created by Lavakumar Kuppan.)

6. Universal XSS in IE8 -- Internet Explorer 8 has cross-site scripting protections that this exploit can circumvent and allow Web pages to be rendered improperly...

7. HTTP POST DoS -- HTTP POST headers are sent to servers to let them know how much data is being sent, then the data is sent very slowly, eating up the servers' resources...

8. JavaSnoop -- A Java agent attached to the target machine communicates with the JavaSnoop tool to test applications on the machine for security weaknesses...

9. CSS History Hack in Firefox without JavaScript for Intranet Port Scanning -- Cascading style sheets, used to define the presentation of HTML, can be used to grab browser histories as victims visit Web sites...

10. Java Applet DNS Rebinding -- A pair of Java applets direct a browser to a pair of attacker controlled Web sites, forcing the browser to bypass its DNS cache and so make it susceptible to an NDS rebinding attack...

To read the complete descriptions of the list, including the names of the developers and researchers responsible for the techniques, see the following article by Jeff Greene of Networkworld:

Source:  http://www.networkworld.com/news/2011/012411-top-web-hacking-techniques.html

Possibly Related Articles:
14330
Webappsec->General
XSS OWASP Hacking Vulnerabilities Clickjacking Headlines Evercookie Cache Injection JavaSnoop
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.