Industry Observations-Technical Insight

Top 10 Website Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Website Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out! Agree with the list? Disagree? Share your comments below. END UPDATE Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Website Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year: 2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31). Phase 1: Open community submissions [Jan 7-Jan 30] Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified. Phase 2: Open community voting for the final 15 [Feb 2-Feb 20] Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall. Click here to vote for your favorite web hacks of the year! ***CLOSED*** Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]
 From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014! Prizes [to be announced]
 The winner of this year’s top 10 will receive a prize! Ongoing List of 2014 Hacks (in no particular order)HeartbleedTweetDeck XSSOpenSSL CVE-2014-0224Rosetta FlashUnauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS AuditorAdvanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512Facebook hosted DDOS with notes appThe Web Never Forgets: Persistent Tracking Mechanisms in the WildRemote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)The PayPal 2FA BypassAIR Flash RCE from PWN2OWNPXSS on long length videos to DOSMSIE Flash 0day targeting french aerospaceLinskys E420 Authentication Bypass DisclosurePaypal Manager Account HijackCovert Redirect Vulnerability Related to OAuth 2.0 and OpenIDHow I hacked Instagram to see your private photosHow I hacked GitHub againShellShockPoodleResidential Gateway “Misfortune Cookie”Recursive DNS Resolver (DOS)Belkin Buffer Overflow via WebGoogle User De-AnonymizationSoaksoak WordPress MalwareHacking PayPal Accounts with 1 ClickSame Origin Bypass in Adobe Reader CVE-2014-8453RevSliderHikaShop Object InjectionCovert Timing Channels based on HTTP Cache HeadersNODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWAREBypassing NoCAPTHCADelta Boarding Pass SpoofingCryptophp BackdoorMicrosoft SChannel VulnerabilityGoogle Two-Factor Authentication BypassDrupal 7 Core SQLiApache Struts ClassLoader Manipulation Remote Code Execution and Blog PostReflected File DownloadMisfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routersHostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2File Name Enumeration in RailsFlashFloodCanadian BeaconsetTimeout Clickjacking Click here to vote for your favorite web hacks of the year! ***CLOSED*** Final 15 (in no particular order):AIR Flash RCE from PWN2OWNBelkin Buffer Overflow via WebApache Struts ClassLoader Manipulation Remote Code Execution and Blog PostAdvanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512HeartbleedCovert Timing Channels based on HTTP Cache HeadersCanadian BeaconCryptophp BackdoorHacking PayPal Accounts with 1 ClickGoogle Two-Factor Authentication BypassShellShockFacebook hosted DDOS with notes appRosetta FlashPoodleResidential Gateway “Misfortune Cookie”

Tags: web security
  • Pingback: Top 10 Web Hacking Techniques of 2014 | The WordPress C(h)ronicle()

  • Marco D.
    • Eila Shargh

      Great one Marco! It’s been added to the list.

  • Denis Kolegov

    “Covert Timing Channels based on HTTP Cache Headers” ( Presented at ZeroNights 2014 and SibeCrypt 2014.

    • Eila Shargh

      Thank you for the submission Denis. This one is fantastic! We have added it to our list.

  • pdp
  • homakov

    there’s no such thing as “covert redirect”, it’s a hype around old known bug

    • Eila Shargh

      Great submission! We’ve added it to the list.

  • Soroush
  • Soroush
  • Pingback: #HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability | WhiteHat Security Blog()

  • Pingback: #HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation | WhiteHat Security Blog()

  • Jessica Dodson

    The great thing about open source software is that there is a whole team of developers and engineers behind the source code. At the same time, without the control of one single team, vulnerabilities can get passed along or individuals can work to exploit the code. Luckily there are many members of the open source community who work effortlessly to check for security flaws (like with the list in this post), but it serves as a reminder to continuously check your code throughout your DevOps process.

  • Pingback: Top 10 Web Hacking Techniques of 2015 | WhiteHat Security Blog()

  • Jack brown

    world wid hacking tools & sevices avilable

    Contact us :

    hang out:

    yahoo IMI:


    website :

    Stolan Credit cards world wide

    random : 30$ per one

    fullz : 50$ per one (with Dob + SSN + MMN + Driving license + )


    Spamming tools.

    1:Smtp : 20$ for ip (4$ for Domain)

    2:Shell : 30$ per one

    3:Cpanel : 12$ per one

    4:Scam page 40$ for simple (70$ for undetectable)

    5:RDP : 5$ any country

    6:PHP mailer : 25$ per one


    Carding Tools :

    Used for world wide online buyers

    Socks 60$ any country

    RDP: 25$ any country

    HMA: 20$ unlimited 12 month

    Vip72: unlimited 6 month

    card validator : 60$ (for fixing un-valide card number and bin checker)

    wu Java bypass Script ,(by pass any page with your giving commands)



    hack victum privet porpose earn money makers

    zeus : 200$ (with fud crypted jpg,pdf or doc file)

    key loger : 160$ (for email,pm and btc logs)

    ninja Rat : 120$ (with fud crypted jpeg,pdf or doc file)

    cidital : 130$ (with fud crypted jpeg,pdf or doc file)


    private Scanner tools

    smtp scanner : 350$ (linux based) (ssh/root required for run )

    rdp scnnaer : 400$ (linux based) (ssh/root required for run)

    Smtp+rdp multi scanner : 600$ (linux based) (ssh/root required for run)

    cpanel scanner : 500$ (linux based) (ssh/root + 10 cpanel or shell required for run)

    root scanner : 800$ (linux based) (ssh/root required for run)


    privet online services.

    As per clinet demand

    This service for limted person used

    privet hack data based world wide

    pad online bills

    privet shipping dropers world wide

    credit card cash out mathods

    privet merchands

    Wire Bank Transfer

    Western Union,



    world wid hacking tools & sevices avilable

    Contact us :

    hang out:

    yahoo IMI:


    website :

  • Morgan Sofia

    Do you really need a professional hacker on your school result to make a better grade for you and make you happy more , maybe a trail may convince you about cos he has really e a bomb in my life for this and helped me out so i have promise to promote and advertise his sense of humor about this and will surely help you out f this in all ways and make you great about having a better school grade result, all forms of hacking an account or you could also message him on # (415) 323-3542 or you can add him on his facebook I.D ‘David Timothy’….Try him and thank me later.

  • Dan

    For all Hacking and Private Investigation Service such as;

    -Facebook, Whatsapp, Snapchat, any Social Media or Chat; Messenger

    -Knowing if your Partner (husband, wife, boyfriend, or girlfriend) is cheating

    -Change of Grades; Examination Hack; Hacking of University Portal

    -Background Checks

    -Email Hacking


  • Ivan

    Hello all

    we are providing Hacking services

    online hacking make money and live better life

    we deals

    All credit card, bank transfer, paypal transfer

    we are also teaching

    hacking (credit card, bank logins, computer hacking)





  • Shadrack Celumusa

    hello. guys. my friend’s cell phone and e mail has been hacked. every conversation with her husband and all e mails are accessed somewhere. subsequently, she would hear her colleaugues at work making fun of things she shared with husband. how can we assist in this regard

  • Ivan

    Hello all

    am looking few years that some guys comes into the market they called themselves

    hacker, carder or spammer they rip the peoples with different ways and it’s a badly

    impact to real hacker now situation is that peoples doesn’t believe that real hackers

    and carder scammer exists. We are also teaching all types of hacking within a few days

    make funds your own.

    Anyone want to make deal with us any type we are available but

    first will show the proof that our work is real then make a deal like

    ..Wire Bank Transfer




    ..Hacking stuff

    ..BTC Generator

    ..PM Adder

    ..keylogger / scam pages / shell / hosting / SMTP / RDP / FTP

    Shipping product. Rippers / scammer stay away serious / needy contact about it.

  • My Trend
  • Tega Reves
  • Hector warnes
  • fibel

    when it comes to Hacking job , we are renowned for our jobs. We never delay services.
    we are certified hackers that can render many services!!!
    Get in touch with us today we render service such as:+University Grades changing
    >Erase Criminal Records hack
    >Driver License
    >Facebook hack, Twitter hack, Instagram hack, Gmail, Yahoo hack
    >Already hacked PayPal, MasterCard, Credit Card untraceable balance
    >Email interception hack
    >Hack computer remotely
    >Whats app hack
    .Email accounts hack
    >hack into any database
    >Bank accounts hack
    >Hack WORD-PRESS Blogs
    >Untraceable IP and all degree of hacking.

    • hivexewo

      Thanks for changing my school grades

  • ethan carter

    I was able to get evidence on my cheating wife through the service of databasehackerservices AT gmail DOT com … I got detailed
    info about my spouse secret dating, call logs, whatsapp and others..i found out she had many accounts on POF and match…you
    can contact him too he also helped 2 others I know. So I can vouch he lld do a good job. Goodluck

  • moses

    we provide proofs to satisfy our clients before payment.

    contact us at PROLIFICHACKER20 AT g mail DOT com

    remember to tell your friends about us.

    • Larry Blake

      Life has taught me great lesson that you
      can’t control someone’s loyalty no matter how good you are to them it
      doesn’t mean that they will treat you the same way.” I have been married
      to my husband for two years with no idea he was cheating. Suddenly i
      started noticing changes in behavior, i suspected something was wrong.
      So i confided in a friend who convinced and introduced me to a hacker.
      He was able to hack into my husband mobile phone, Email and Whatsapp. It
      seemed as though my life was spinning out of control getting to find
      out he has someone else. I filed for a devours just could not continue
      with lies. If you feel you are been exploited in your marriage and you
      need proof.I suggest you give hack major 407 @ g mail . com a try. He has
      been of great help to me and you can benefit from his wealth of

    • stella west

      Hello!! after a long search for a hacker to clear my driving records in
      California, i was told about megahackteam at g mail .com by one of my
      employees, he told me what i had to do and the fees and time involved, i
      did not have any DUI, just accidents, to my surprise he was able to
      change them, and after that helped raised my score, no doubt he his who i
      heard him to be.

    • Trent AZIZ

      CONTACT hackmajor 407 (AT) g mail (DOT) com FOR SPYING AND HACKING

      • William kvist

        Are you desperate need to know what your spouse is up to???

        Is your spouse telling you the truth about their locations?

        Do you know you can clear the thoughts and monitor all of your partner/loved ones activities without them even suspecting ?

        Contact (skycrowhackteam at g mail dot com) He offers the best hack services for affordable prices..

    • cooper wesley

      Do you require a certified hacker contact databasehackerservices AT gmail DOT com
      they were able to repair my credit score from 420 to 820 within 48hours of contact, a friend recommend dem to me, i really
      appreciate their work, they are reliable

  • Christopher Henry

    I am a living proof of Aaron Swartz legit credit specialist, successfully erased all my negative item on my credit report and boost my credit score to 841 excellent within 72 hours, He is real and affordable price. Get in touch with him on regular email for your credit repair

  • Elisa Fuller

    I have been a victim of scam to different hackers who almost ruined me till a old friend of mine introduced me to Aaron Swartz, I was really surprised that he help me increase my credit score to 851 excellent and erased all negative collection items on my credit report within 72 hours. Aaron Swartz is not about the money but about attaining a good reputation at always satisfying his client, He is very trust worthy. Contact him for your credit issue on his regular email via

  • machel pd

    Hello All
    I’m offering following hacking services
    dark web / deep web / red room

    ..Western union Trf
    ..wire bank trf / debit cards
    ..Perfect Money / Bintcoing adders hacking /tracing
    ..Mobile hacking / mobile spam

    ..hacking Tools
    ..Spamming Tools
    ..Scam pages
    ..spam tools scanners make your own tools

    Fake peoples have just words to scam peoples
    they just cover their self that they are hacker
    but when you ask them a questions they don’t have answer
    they don’t have even knowledge what is hacking
    am dealing with real peoples who interested and honest
    also teaching hacking subjects in reasonable price
    with private tools and proof.

    Availability 24/7 contact only given below address

    ===> <===

  • Martin Christensen

    I was once stuck with low credit score of 470 until I find a true hacker called Aaron Swartz which i read about him online and a lot of people keep rating him and given testimony about him. He helped me erased all the negative collections on my report and help me increase my credit score to 800 excellent plus and i was able to apply for credit card, you can trust him with your credit report. Contact him for your credit repair on his regular email aaronswartzcyberservices At Gmail Dot Com

  • Patty Johnson

    Aaron Swartz is the best credit agency, He help me delete all my negative items on my credit report and raise my credit score to 831 excellent within 72 hours. He also help me pay off my mortgage loan, His service are fast, secured and reliable without stress. Get in touch with him on regular email for your credit repair aaronswartzcyberservices At Gmail Dot Com

  • Lynn Gilbert

    Have you guys checked out this great hacker called Aaron Swartz, I will recommend anyone to try Aaron Swartz for your credit repair. He is real and affordable price, Get in touch with him on his regular email aaronswartzcyberservices At Gmail Dot Com

  • Justin Marley

    I got my credit score up to 820 excellent standard in 72 hours after i contacted the God eye view. He helped me clear all the criminal and evictions records i have. He is the best i can refer you to as i have refer him to my friends who can’t stop thanking him. Thank me later


    We don’t need an introduction for our brand or organization for those who knows what we are doing, we are team of widely experienced hackers with a mission to hacking any database no matter how tight the security is. We are redemption hackers crew
    Contact us today for a better job that will leave a smile on your face
    Contact : redemptionhackerscrew at g mail dot com


      Laid your hacking burden on us, let give you the rest you deserved
      redemptionhackerscrew at g mail dot com

  • Bernice Hale

    I was able to increase my credit score to 841 excellent and erase all negative item on my credit report within 72 hours with the help of Aaron Swartz, He’s also capable of Facebook, Bank Account hacks, Instagram, WhatsApp, Clearing of criminal records and other hacking related jobs. He is real and affordable price, Contact him for any kind of hack on his regular email

  • euclides polcano

    Hello!! My name is Euclides Polcano i was really surprised that he helped me increase my score within few days and clear all my debts, even though I doubted him at first because he told me to pay the service fee before any action can take place and he got my report and in few days my credit score increased, he is very trustworthy and honest him creditspyexpert at gmail dot com or text (740) 480-1942, if you need help in increasing your score fast

  • Mike Stump
  • Rebecca Jean

    Honestly i was scared when a friend told me about Rich Skrenta Hacker cause i promised my self not to use any hacker on Net, My believe was it can never be solve but at the end i got the honest person have been waiting for who help me increase my score to 780 plus, upgrade my daughter school grades to a great point and he also help me clear her bills on student loan and my 3 credit cards dept, i really appreciate his good work you can reach him through his email: richskrentacyberservice At Gmail Dot Com!!!

  • Martins


    times come when one seriously and urgently needs the services of a world class pedigree hacker

    our research showed more than 70% end up in the hands of scammers,

    25% gets tired of the search and give up while just less than 5% truely meet REAL HACKERS..

    visit the link below would be of help to you….MEET BEST

  • Roy Wilson

    I can’t thank him enough for the great thing he has done in my life. He’s the best i can refer you to because i’ve confirmed he’s doing a great job and he’s the best. I was told to be in 72 hours. He helped me remove that particular bad inquiries on my report and increase my credit score to 829 excellent standard and all this is done with 72 hours. I can’t believe my eyes until i start receiving emails and calls from credit card company, lenders and many more. I am very exited, I am still working with him because he’s currently clearing my credit cards debts and he’s almost through with that. He is the best yes.

  • Juanita Adkins

    I would like you to note that not all those out there who pose to be hackers are real. I went on google in search of how to take off eviction from my public records and most people on different forums kept talking about a professional but they are all fake… Not until when I got to know about a Google recommended repair hacker called Jack Craig. His response to my mails made me calm and optimistic about the whole thing. I made a down payment for the job and he cleaned my public records in 3 days. I felt so relieved and so excited so i feel You can also Fix your credit report by contacting him on his mail {} and by the time he’s done with your job, do not hesitate to spread words about his services to people in need of a professional hacker to avoid been scammed.

  • james robert

    my credit card was pretty messed up since last year and i couldn’t come up with my bills ,i even went through bankruptcy with some other personal issues not until i heard a conversion from my neighbourhood , how a hacker helped her to resolved her credit score and i plead her to introduce him to me and he help me clear my negative report and also pay my debt on my 3 cards this is how i can appreciate his good work you can reach him (CREDITSPYGENIUS (at) gmail (dot) com)

  • Arthur Collins

    How well are you prepared for a Cyber incident or Breach?, Is your Data safe?

    Strengthen your Cybersecurity stance by contacting CLASSIC CYBER HACKS for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of Breache, for we are Specially equipped with the Best hands to getting your Cyber Hack needs met

    We specialize in All type of cyber Jobs such as:

    #TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
    We also track E-mail account, Social media such as Facebook, Twitter, Skype, Whatsapp, e.t.c.

    #RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c,.
    NOTE: we also help Scammed persons recover their money.

    #INSTALLATION of Spy ware so as to spy into someone else’s computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S to know if your Gadget is being hacked into..
    We also Create and Install VIRUS into any desired computer gadget.

    #CRACKING into Websites, CCTV Survelance camera, Data base etc, of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA e.t.c

    NOTE: We specialize in clearing of CRIMINAL RECORDS of diverse types.

    * We assure you that your Job will be attended to with care and efficiency as it will be handled with the Best professional hands in Cyber Hack business.

    #We also have a forum where you can get yourself equipped with Advanced hacking Knowledge
    And Also, if you’re Good with Hacking and you think you can Join our Team of SOPHISTICATED HACKERS, you’re welcome as well…
    At CLASSIC CYBER HACKS, we give you the Best service in the Hacking world.

    Write us on:


    Collins .A.

  • Medina Wallace

    Am Medina and i would like to introduce you to this real and best credit repair services named Jack Craig who have been a good man helping people who think their credit score can never be fixed. He helped me increase my credit score and removed all collection on my credit report, also increase my credit limit to $4,500. He is real and affordable price which i can recommend his service to anyone, You can contact him on for your credit Card setup and Upgrade.

  • Donald Young

    If you are in need to clear off your credit card debts, I will recommend you all to get in touch with Loyd Blankenship the cyber genius. He help me erase all criminal records on my credit report and He help me pay off my credit card debts within 3 days. He also help me increase my credit score to 832 excellent golden score, His services are cheap and affordable. Email (Loydblankenshiphacker AT gmail DOT com)