top ten Web Hacking 2010 techniques Jeremiah Grossman Founder & Chief Technology Officer © 2011 WhiteHat Security, Inc. Jeremiah Grossman • WhiteHat Security Founder & CTO • Technology R&D and industry evangelist • InfoWorld's CTO Top 25 for 2007 • Co-founder of the Web Application Security Consortium • Co-author: Cross-Site Scripting Attacks • Former Yahoo! information security officer © 2010 WhiteHat Security, Inc. | Page 2 400+ enterprise customers •Start-ups to Fortune 500 Flagship offering “WhiteHat Sentinel Service” •1000’s of assessments performed annually Recognized leader in website security •Quoted thousands of times by the mainstream press 4 About the Top Ten “Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we're talking about brand new and creative methods of Web-based attack.” 5 New Techniques 2009 (80) Creating a rogue CA certificate 2008 (70) GIFAR (GIF + JAR) 2007 (83) XSS Vulnerabilities in Common Shockwave Flash Files 2006 (65) Web Browser Intranet Hacking / Port Scanning 6 2010 69 new techniques 1) 'Padding Oracle' Crypto Attack 2) Evercookie 3) Hacking Auto-Complete 4) Attacking HTTPS with Cache Injection 5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution 6) Universal XSS in IE8 7) HTTP POST DoS 8) JavaSnoop 9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning 10) Java Applet DNS Rebinding http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html 7 2 Bypassing CSRF with Clickjacking and HTTP Parameter Pollution 5 Clickjacking is when an attacker invisibly hovers an object (button, link, etc.) below a user's mouse. When the user clicks on something they visually see, they're instead really clicking on something the attacker wanted them to. HTTP Parameter Pollution is where an attacker submits multiple input parameters (query string, post data, cookies, etc.) with the same name. Upon receipt applications may react in unexpected ways and open up avenues of server-side and client-side exploitation. By cleverly leveraging these two former Top Ten attacks, CSRF attacks can be carried out against a user even when recommended token defenses are in use. Lavakumar Kuppan (@lavakumark) http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html 8 Clickjacking (Top Ten 2009) Think of any button – image, link, form, etc. – on any website – that can appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, Netflix queue. Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to. What could the bad guy do with that ability? 9 Hover Invisible IFRAMEs HTML, CSS, and JavaScript may size, follow the mouse and make transparent third- party IFRAME content. <iframe src="http://victim/page.html" scrolling="no" frameborder="0" style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">! </iframe> 10
Description: