[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Top Ten Web Hacking Techniques of 2008 (Official)

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Top Ten Web Hacking Techniques of 2008 (Official)
Date: Mon, 23 Feb 2009 06:37:30 -0800

blogged:
http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html

We searched far and wide collecting as many Web Hacking Techniques published in 2008 as possible -- ~70 in all. These new and innovative techniques were analyzed and ranked based upon their novelty, impact, and pervasiveness. The 2008 competition was exceptionally fierce and our panel of judges (Rich Mogull, Chris Hoff, H D Moore, and Jeff Forristal) had their work their work cut out for them. For the any researcher, or "breaker" if you prefer, simply the act of creating something unique enough to appear on the list is no small feat. That much should be considered an achievement. In the end, ten Web hacking techniques rose head and shoulders above.

Supreme honors go to Billy Rios, Nathan McFeters, Rob Carter, and John Heasman for GIFAR! The judges were convinced their work stood out amongst the field. Beyond industry recognition, they also will receive the free pass to Black Hat USA 2009 (generously sponsored by Black Hat)! Now they have to fight over it. ;)

Congratulations to all!

Coming up at SnowFROC AppSec 2009 and RSA Conference 2009 it will be my great privilege to highlight the results. Each of the top ten techniques will be described in technical detail for how they work, what they can do, who they affect, and how best to defend against them. The opportunity provides a chance to get a closer look at the new attacks that could be used against us in the future -- some of which already have.


Top Ten Web Hacking Techniques of 2008!

1. GIFAR
(Billy Rios, Nathan McFeters, Rob Carter, and John Heasman)

2. Breaking Google Gears' Cross-Origin Communication Model
(Yair Amit)

3. Safari Carpet Bomb
(Nitesh Dhanjani)

4. Clickjacking / Videojacking
(Jeremiah Grossman and Robert Hansen)

5. A Different Opera
(Stefano Di Paola)

6. Abusing HTML 5 Structured Client-side Storage
(Alberto Trivero)

7. Cross-domain leaks of site logins via Authenticated CSS
(Chris Evans)

8. Tunneling TCP over HTTP over SQL Injection
(Glenn Willinson, Marco Slaviero and Haroon Meer)

9. ActiveX Repurposing
(Haroon Meer)

10. Flash Parameter Injection
(Yuval Baror, Ayal Yogev, and Adi Sharabani)

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: [WEB SECURITY] Database Security assessment
Next by Date: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
Previous by thread: [WEB SECURITY] Database Security assessment
Next by thread: [WEB SECURITY] "Enterprise Web Application Security Program"... baby steps
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site