Thursday, January 20, 2011

Top Ten Web Hacking Techniques of 2010!

1) 'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)
Juliano Rizzo (@julianor), Thai Duong (@thaidn)

2) Evercookie
Samy Kamkar (@samykamkar)

3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
Jeremiah Grossman (@jeremiahg)

4) Attacking HTTPS with Cache Injection (Bad Memories)
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh

5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan (@lavakumark)

6) Universal XSS in IE8 (CVE, White Paper)
Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)

7) HTTP POST DoS
Wong Onn Chee, Tom Brennan (@brennantom)

8) JavaSnoop
Arshan Dabirsiaghi (@nahsra)
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
Robert "RSnake" Hansen (@rsnake)

10) Java Applet DNS Rebinding
Stefano Di Paola (@WisecWisec)







The Complete List
  1. Evercookie
  2. Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
  3. Cookie Eviction
  4. Converting unimplementable Cookie-based XSS to a persistent attack
  5. phpwn: Attack on PHP sessions and random numbers
  6. NAT Pinning: Penetrating routers and firewalls from a web page (forcing router to port forward)
  7. Mapping a web browser to GPS coordinates via router XSS + Google Location Services without prompting the user
  8. XSHM Mark 2
  9. MitM DNS Rebinding SSL/TLS Wildcards and XSS
  10. Using Cookies For Selective DoS and State Detection
  11. Quick Proxy Detection
  12. Flash Camera and Mic Remember Function and XSS
  13. Improving HTTPS Side Channel Attacks
  14. Side Channel Attacks in SSL
  15. Turning XSS into Clickjacking
  16. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
  17. CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
  18. Popup & Focus URL Hijacking
  19. Hacking Facebook with HTML5
  20. Stealing entire Auto-Complete data in Google Chrome
  21. Chrome and Safari users open to stealth HTML5 AppCache attack
  22. DNS Rebinding on Java Applets
  23. Strokejacking
  24. The curse of inverse strokejacking
  25. Re-visiting JAVA De-serialization: It can't get any simpler than this !!
  26. Fooling B64_Encode(Payload) on WAFs and filters
  27. MySQL Stacked Queries with SQL Injection...sort of
  28. A Twitter DomXss, a wrong fix and something more
  29. Get Internal Network Information with Java Applets
  30. Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem
  31. Java Applet Same IP Host Access
  32. ASP.NET 'Padding Oracle' Crypto Attack
  33. Posting raw XML cross-domain
  34. Generic cross-browser cross-domain theft
  35. One vector to rule them all
  36. HTTP POST DoS
  37. Penetrating Intranets through Adobe Flex Applications
  38. No Alnum JavaScript (cheat sheet, jjencode demo)
  39. Attacking HTTPS with Cache Injection
  40. Tapjacking: owning smartphone browsers
  41. Breaking into a WPA network with a webpage
  42. XSS-Track: How to quietly track a whole website through single XSS
  43. Next Generation Clickjacking
  44. XSSing client-side dynamic HTML includes by hiding HTML inside images and more
  45. Stroke triggered XSS and StrokeJacking
  46. Internal Port Scanning via Crystal Reports
  47. Lost in Translation (ASP’s HomoXSSuality)
  48. Cross Site URL Hijacking by using Error Object in Mozilla Firefox
  49. JavaSnoop
  50. IIS5.1 Directory Authentication Bypass by using ":$I30:$Index_Allocation"
  51. Universal XSS in IE8
  52. padding oracle web attack (poet, Padbuster, demo)
  53. IIS6/ASP & file upload for fun and profit
  54. Google Chrome HTTP AUTH Dialog Spoofing through Realm Manipulation
  55. NoScript Bypass - "Reflective XSS" through Union SQL Poisoning Trick
  56. Persistent Cross Interface Attacks
  57. Port Scanning with HTML5 and JS-Recon
  58. Performing DDoS attacks with HTML5 Cross Origin Requests & WebWorkers
  59. Cracking hashes in the JavaScript cloud with Ravan
  60. Will it Blend?
  61. Stored XSS Vulnerability @ Amazon
  62. Poisoning proxy caches using Java/Flash/Web Sockets
  63. How to Conceal XSS Injection in HTML5
  64. Expanding the Attack Surface
  65. Chronofeit Phishing
  66. Non-Obvious (Crypto) Bugs by Example
  67. SQLi filter evasion cheat sheet (MySQL)
  68. Tabnabbing: A New Type of Phishing Attack
  69. UI Redressing: Attacks and Countermeasures Revisited


Source : http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html
    Posted by Amit Chaudhary at 9:50 AM
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)