Industry Observations-Technical Insight

Top 10 Web Hacking Techniques 2013

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:

2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51) and 2012 (56).

Phase 1: Open community voting for the final 15 [Jan 23-Feb 3]

Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall. Comment with your vote!

Phase 2: Panel of Security Experts Voting [Feb 4-Feb 11]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as phase 1, the judges will rank the final 20 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2013!

Complete 2013 List (in no particular order):

  1. Tor Hidden-Service Passive De-Cloaking
  2. Top 3 Proxy Issues That No One Ever Told You
  3. Gravatar Email Enumeration in JavaScript
  4. Pixel Perfect Timing Attacks with HTML5
  5. Million Browser Botnet Video Briefing

    Slideshare

  6. Auto-Complete Hack by Hiding Filled in Input Fields with CSS
  7. Site Plagiarizes Blog Posts, Then Files DMCA Takedown on Originals
  8. The Case of the Unconventional CSRF Attack in Firefox
  9. Ruby on Rails Session Termination Design Flaw
  10. HTML5 Hard Disk Filler™ API
  11. Aaron Patterson – Serialized YAML Remote Code Execution
  12. Fireeye – Arbitrary reading and writing of the JVM process
  13. Timothy Morgan – What You Didn’t Know About XML External Entity Attacks
  14. Angelo Prado, Neal Harris, Yoel Gluck – BREACH
  15. James Bennett – Django DOS
  16. Phil Purviance – Don’t Use Linksys Routers
  17. Mario Heiderich – Mutation XSS
  18. Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
  19. Carlos Munoz – Bypassing Internet Explorer’s Anti-XSS Filter
  20. Zach Cutlip – Remote Code Execution in Netgear routers
  21. Cody Collier – Exposing Verizon Wireless SMS History
  22. Compromising an unreachable Solr Serve
  23. Finding Weak Rails Security Tokens
  24. Ashar Javad Attack against Facebook’s password reset process.
  25. Father/Daughter Team Finds Valuable Facebook Bug
  26. Hacker scans the internet
  27. Eradicating DNS Rebinding with the Extended Same-Origin Policy
  28. Large Scale Detection of DOM based XSS
  29. Struts 2 OGNL Double Evaluation RCE
  30. Lucky 13 Attack
  31. Weaknesses in RC4

Leave a comment if you know of some techniques that we’ve missed, and we’ll add them in up until the submission deadline.

Final 15 (in no particular order):

  1. Million Browser Botnet Video Briefing

    Slideshare

  2. Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
  3. Hacker scans the internet
  4. HTML5 Hard Disk Filler™ API
  5. Eradicating DNS Rebinding with the Extended Same-Origin Policy
  6. Aaron Patterson – Serialized YAML Remote Code Execution
  7. Mario Heiderich – Mutation XSS
  8. Timothy Morgan – What You Didn’t Know About XML External Entity Attacks
  9. Tor Hidden-Service Passive De-Cloaking
  10. Auto-Complete Hack by Hiding Filled in Input Fields with CSS
  11. Pixel Perfect Timing Attacks with HTML5
  12. Large Scale Detection of DOM based XSS
  13. Angelo Prado, Neal Harris, Yoel Gluck – BREACH
  14. Weaknesses in RC4
  15. Lucky 13 Attack

Prizes [to be announced]

  1. The winner of this year’s top 10 will receive a prize!
  2. After the open community voting process, two survey respondents will be chosen at random to receive a prize.

The Top 10

  1. Mario Heiderich – Mutation XSS
  2. Angelo Prado, Neal Harris, Yoel Gluck – BREACH
  3. Pixel Perfect Timing Attacks with HTML5
  4. Lucky 13 Attack
  5. Weaknesses in RC4
  6. Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
  7. Million Browser Botnet Video Briefing

    Slideshare

  8. Large Scale Detection of DOM based XSS
  9. Tor Hidden-Service Passive De-Cloaking
  10. HTML5 Hard Disk Filler™ API

Honorable Mention

  1. Aaron Patterson – Serialized YAML Remote Code Execution
Tags: web security
  • Pingback: Top 10 Web Hacking Techniques 2013 | My reading()

  • https://twitter.com/soaj1664ashar Ashar Javed

    Hi!

    “Trusted Friend Attack: Guardian Angels Strike”

    http://slid.es/mscasharjaved/trusted-friend-attack

    Presented at HITB Kuala Lumpur, Malaysia 2013 & DeepSec Vienna, Austria 2013.

    • Maurina Venturelli

      Hi Ashar,

      Thank you for your submission. We’ve added it to the this.

      Best,
      !M

  • http://secproject.com Soroush
  • http://secproject.com Soroush
  • http://secproject.com Soroush

    Compromising an unreachable Solr server with CVE-2013-6397

    http://www.agarri.fr/blog/

  • http://secproject.com Soroush

    What You Didn’t Know About XML External Entities Attacks – Timothy Morgan

    http://www.youtube.com/watch?v=eHSNT8vWLfc

  • http://secproject.com Soroush
    • Maurina Venturelli

      Hi Soroush,

      Thank you for all the additions! They’ve been added.

      Best,
      !M

  • http://www.skeletonscribe.net James Kettle

    I’ll shamelessly submit ‘Practical HTTP Host Header Attacks’; http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html (password reset poisoning / cache poisoning)

    • Maurina Venturelli

      Thank you. We’ve added it to the list.

      Best,
      !M

      • http://MaverickBlogging.com G. S. McNamara

        Happy to see Ruby on Rails Session Termination Design Flaw made the list!

  • James Landis

    When was the original research for the Firefox lack of simultaneous connection limit for ftp:// protocol published (part of Million Browser Botnet talk)? It might be worth including that independently, if the BlackHat talk wasn’t the first time this was published and it was released in 2013.

  • https://sites.google.com/site/tentacoloviola/abusing-browsers-gui Rosario Valotta
  • http://www.ptsecurity.com tyunusov
  • Pingback: WhiteHat Security: “Top 10 Web Hacking Techniques 2013″ | Mick's Mix()

  • http://gursevkalra.blogspot.com gursev
  • http://www.ey.com Alex Mor
  • Gagan Jaswal

    I’d like to submit #3 “Auto-Complete hack” http://bit.ly/1jIRmlZ

    Thanks!

    • Maurina Venturelli

      Thank you for your submission, Gagan.

  • http://www.aureliendebord.com/ Référencement strasbourg

    Very interesting list ! Best wishes for 2014 🙂

  • Foo

    DNS-Rebinding via the HTML5 Offline Cache:

    http://bit.ly/1huLM4N

    Automatic Generation of DOM-based XSS Exploits:

    http://bit.ly/1eGp4Sr

  • CCooper

    #9 Ruby on Rails Session Termination Design Flaw

  • A Mashkour

    I vote for

    #9-Ruby on Rails Session Termination Design Flaw

  • Imran Latif

    I vote for #24: Ashar Javad Attack against Facebook’s password reset process.

  • http://secproject.com Soroush

    Hi, two of my reported items (about Flash security) are still missing from your list (others have already been added).

    By the way, I thought this is a list for “number of new Web hacking techniques” – not just list of bug bounties/functional issues and other already known techniques. Do you want us to send you the already known techniques that have been used to exploit different applications this year then (there are several items like this currently in the list)? This will make this list longer but decrease the quality…

  • Pablo Rebeiro

    I vote for Pedro!

  • https://twitter.com/soaj1664ashar Ashar Javed

    I vote for the following:

    1) #24 i.e., Trusted Friend Attack.

    2) #4 i.e., Pixel Perfect Timing Attacks with HTML5

    3) #6 i.e., Auto-Complete Hack by Hiding Filled in Input Fields with CSS

  • athar

    I vote for the following:

    1) #24 i.e., Trusted Friend Attack.

  • Saif

    I vote for #24

  • http://code-disaster.blogspot.com.es Ricardo
  • Anonymous

    Hey Whitehatsec,

    What was the prize given out this year? And what were the prizes given out previous years?

  • Pingback: Mile-High AppSec | WhiteHat Security Blog()

  • http://info.warnamelayu.com/ Warna Melayu

    Hi, thank you very much for useful post & nice to visit your site

  • Pingback: Top 10 Web Hacking Techniques of 2014 | WhiteHat Security Blog()

  • Pingback: Top 10 Web Hacking Techniques of 2015 | WhiteHat Security Blog()

  • Rush R00t

    verfied seller

    Contact us :

    hang out: hackitbackd00r@gmail.com

    yahoo IMI: hackitbackdoor@yahoo.com

    skype:rushr00t

    website : https://hackersleaked.blogspot.com

    —————————–

    Spamming tools.

    Mathod Leaked get credit card bank login privet projects

    Any Ecpacific requirement or bin will take other Cost

    1:Smtp : 15$ for ip (4$ for Domain)

    2:Shell : 25$ per one

    3:Cpanel : 10$ per one

    4:Scam page 50$ for simple (60$ for undetectable)

    5:RDP : 25$ any country

    6:PHP mailer : 20$ per one

    ————————————-

    Carding Tools :

    Used for world wide online buyers

    Socks 60$ any country

    RDP: 25$ any country

    HMA: 30$ unlimited 12 month

    Vip72: 260$ unlimited 6 month

    card validator : 60$ (for fixing un-valide card number and bin checker)

    wu Java bypass Script ,(by pass any page with your giving commands)

    —————————————

    Virus/Rate

    hack victum privet porpose earn money makers

    zeus : 250$ (with fud crypted jpeg,pdf or doc file)

    key loger : 150$ (for email,pm and btc logs)

    ninja Rat : 130$ (with fud crypted jpeg,pdf or doc file)

    cidital : 150$ (with fud crypted jpeg,pdf or doc file)

    ————————————

    private Scanner tools

    smtp scanner : 350$ (linux bassed) (ssh/root required for run )

    rdp scnnaer : 400$ (linux bassed) (ssh/root required for run)

    Smtp+rdp multi scanner : 600$ (linux bassed) (ssh/root required for run)

    cpanel scanner : 500$ (linux bassed) (ssh/root + 10 cpanel or shell required for run)

    root scanner : 800$ (linux bassed) (ssh/root required for run)

    ————————————–

    Credit cards :world wide all catagris

    random : 25$ per one

    fullz : 35$ per one (with Dob + SSN + MMN + Driving license + )

    ————————————–

    privet online services.

    This service for limted person used

    privet hack data bassed world wide

    online Hotel Reservation

    online Air ticket booking

    pad online bills

    privet shipping dropers world wide

    credit card cash out mathods

    privet merchands

    Wire Bank Transfer

    Western Union,

    SSN

    ——————————

    world wid hacking tools & sevices avelable

  • Exploits Roblox

    hello world,
    Are you interested to make money via Hacking World ?
    well i have hacked credit cards,
    i hack website and get shop admin i have cards in bulk, and dead fullz for tax refund,pension or other identity thefts
    ,,,,,,,,Ethical Hacking Services,,,,,
    i can hack any android and Ios cell phon and can grab data like installed app,call logs,txt messenges,gbs everything,,,
    i can hack EMail and password, if your patner got some one els behind you,

    ,,,,Offering Teaching ,,,,,
    what can i teach you is
    1:> spam, (Hacking Credit cards,bank logs,email and password) 100$
    2:> brute force (To Get Rdp,smtp,cpanel,shell,ftp, and ssh) 170$ ,
    3:> Exploiting (puting back door shell in system and gaining root access) 250$
    4:> Sql injection (to hack shop admin,mysql,asp.net,mssql) 100$
    5:> network spoofing (using dns spoofing to hijack network and grab sensitive information such as username and password and els) 200$

    ############# Tools for your daily jobs #####
    cpanel : 3$
    shell : 2$
    smtp : 5$
    mailer : 1$
    rdp : 10$ (with scam page hosting and mailer,)
    ssh : 20$ (for network scaning, and brute force)
    proxy : 5$ (10 proxy in 5$ ssh over proxy tunel)
    scam page : 15$ (simple scam page)
    scam page : 30$ (class -A page with 47/47 FUlly fuded with no detection)
    business leads: 10$ (50K for 10${i prefer teaching hacking fresh leads just in 50$ with perfect tool})
    ############## advance level Tools #####
    Rates , ask any rate you want, my all kinds of rate deal is including Fully Fuded virus with pdf or doc file,
    i give ready to use panel, and pdf or doc virus most of the time prize is 100$

    Scanner
    i have both linux and windows based scanner, to hack ftp ,shh,cpanel,rdp,smtp,shell,whm,
    prize will b fixed after talk,

    contact me
    skype : edward.beer71
    Yahoo IMI : edwardbeers420@yahoo.com
    Gmail : edwardbeer7@gmail.com
    ———————————————————-

  • Illena D’souza

    Contact for Western Union Transfer.
    Mr. Roy is good and reliable for Western Union Transfer, he do real and legit worker i am glade to met him now, i recommend to all of you please stop make fool and rip by other only contact to Mr. Roy for real work.

    Email : royproducts90@gmail.com
    ICQ : 721 832 922
    Skype : royproducts90@gmail.com

  • Harminder Singh

    It was really good.Keep up the good workCareer in ethical hacking is safest and most in demand. The entire world is now online and due to advancement in technology which also has lead to increase in cyber crimes.Role of Ethical Hackers is to prevent cyber- crimes. The demand for them is highest as very few Ethical Hackers available. Earlier ethical hacking is limited to the IT sector, now as all companies/organizations create their online presence, they require Cyber Security. Ethical hacking Jobs are available with both government and private organisations.If you want to join Indian cyber army and work with them for government,police agencies for that clear the Indian cyber army exam or get ethical hacking training from them.Indian cyber army also started cyber crime helpline number for those who become cyber victims.Visit the official website for more information.

  • Eric Hilton

    i have been ripped of $6,000 until i met kryptohackers.wordpress.com that gave me a hack transfer of $10,000 and i have successfully cashed out going into more deals man