Top 10 Web Hacking Techniques Used by the Hackers

web-hacking-technique

The most influential research on vulnerabilities and exploits, as voted on by the security community.

#1 FREAK
Freak
SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption.
Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team
Further details on the research: https://freakattack.com

#2 Logjam
Logjam

Another TLS vulnerability that allows man-in-the-middle attacks by downgrading vulnerable TLS connections to 512-bit encryption.
Researchers: David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
Additional information: https://weakdh.org

#3 Web Timing Attacks Made Practical


Web Timing Attacks Made Practical
Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.
Researchers: Timothy Morgan and Jason Morgan
Video: https://www.youtube.com/watch?v=KirTCSAvt9M

#4 Evading All* WAF XSS Filters

Evading All* WAF XSS Filters
Research that shows how it is possible to evade cross-site scripting filters of all popular web-application firewalls.
Researcher: Mazin Ahmed
Additional information: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html

#5 Abusing CDN’s with SSRF Flash and DNS

Abusing CDN’s with SSRF Flash and DNS
Research highlighted at Black Hat looking at a collection of attack patterns that can be used against content delivery networks to target a wide range of high availability websites.
Researchers: Mike Brooks and Matt Bryant
Video: https://www.youtube.com/watch?v=ekUQIVUzDX4

#6 IllusoryTLS

IllusoryTLS

An attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor.
Researcher: Alfonso De Gregorio
Additional information: http://www.illusorytls.com

#7 Exploiting XXE in File Parsing Functionality

Exploiting XXE in File Parsing Functionality

A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.
Researcher: Will Vandevanter
Video: https://www.youtube.com/watch?v=ouBwRZJHmmo

#8 Abusing XLST for Practical Attacks

Abusing XLST for Practical Attacks

Research and proof-of-concept attacks highlighted at Black Hat that show how XSLT can be leveraged to undermine the integrity and confidentiality of user information.
Researcher: Fernando Arnaboldi
Video: https://www.youtube.com/watch?v=bUcd-yibTCE

#9 Magic Hashes


Looks into a weakness in the way PHP handles hashed strings in certain instances to make it possible to compromise authentication systems and other functions that use hash comparisons in PHP.
Researchers: Robert Hansen and Jeremi M. Gosney
Additional information: https://www.whitehatsec.com/blog/magic-hashes/

#10 Hunting Asynchronous Vulnerabilities


Research presented at 44CON delves into how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.
Researcher: James Kettle
Video: https://vimeo.com/ondemand/44conlondon2015

No comments:

Powered by Blogger.