Synopsys logo
Industry ObservationsTechnical Insight

Top 10 Website Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Website Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out! Agree with the list? Disagree? Share your comments below. END UPDATE Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attacks. Now in its ninth year, the Top 10 Website Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:  2011 (51), 2012 (56), and 2013 (31).

Phase 1: Open community submissions [Jan 7-Jan 30] Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Feb 2-Feb 20] Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall.

Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]
 From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014!

Prizes [to be announced]
 The winner of this year’s top 10 will receive a prize!

Ongoing List of 2014 Hacks (in no particular order)

HeartbleedTweetDeck XSSOpenSSL CVE-2014-0224Rosetta FlashUnauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS AuditorAdvanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512Facebook hosted DDOS with notes appThe Web Never Forgets: Persistent Tracking Mechanisms in the WildRemote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)The PayPal 2FA BypassAIR Flash RCE from PWN2OWNPXSS on long length videos to DOSMSIE Flash 0day targeting french aerospace  – Paypal Manager Account HijackCovert Redirect Vulnerability Related to OAuth 2.0 and OpenID  – How I hacked GitHub again  – PoodleResidential Gateway “Misfortune Cookie”Recursive DNS Resolver (DOS)Belkin Buffer Overflow via WebGoogle User De-AnonymizationSoaksoak WordPress MalwareHacking PayPal Accounts with 1 ClickSame Origin Bypass in Adobe Reader CVE-2014-8453RevSliderHikaShop Object InjectionCovert Timing Channels based on HTTP Cache HeadersNODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWAREBypassing NoCAPTHCADelta Boarding Pass SpoofingCryptophp BackdoorMicrosoft SChannel VulnerabilityGoogle Two-Factor Authentication BypassDrupal 7 Core SQLiApache Struts ClassLoader Manipulation Remote Code Execution and  Hostile Subdomain Takeover using Heroku/Github/Desk + more: Example 2File Name Enumeration in RailsFlashFlood

Finalists (in no particular order):