Industry Observations-Technical Insight

Top 10 Website Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Website Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out! Agree with the list? Disagree? Share your comments below. END UPDATE Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Website Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year: 2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31). Phase 1: Open community submissions [Jan 7-Jan 30] Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified. Phase 2: Open community voting for the final 15 [Feb 2-Feb 20] Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall. Click here to vote for your favorite web hacks of the year! ***CLOSED*** Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]
 From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014! Prizes [to be announced]
 The winner of this year’s top 10 will receive a prize! Ongoing List of 2014 Hacks (in no particular order)HeartbleedTweetDeck XSSOpenSSL CVE-2014-0224Rosetta FlashUnauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS AuditorAdvanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512Facebook hosted DDOS with notes appThe Web Never Forgets: Persistent Tracking Mechanisms in the WildRemote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)The PayPal 2FA BypassAIR Flash RCE from PWN2OWNPXSS on long length videos to DOSMSIE Flash 0day targeting french aerospaceLinskys E420 Authentication Bypass DisclosurePaypal Manager Account HijackCovert Redirect Vulnerability Related to OAuth 2.0 and OpenIDHow I hacked Instagram to see your private photosHow I hacked GitHub againShellShockPoodleResidential Gateway “Misfortune Cookie”Recursive DNS Resolver (DOS)Belkin Buffer Overflow via WebGoogle User De-AnonymizationSoaksoak WordPress MalwareHacking PayPal Accounts with 1 ClickSame Origin Bypass in Adobe Reader CVE-2014-8453RevSliderHikaShop Object InjectionCovert Timing Channels based on HTTP Cache HeadersNODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWAREBypassing NoCAPTHCADelta Boarding Pass SpoofingCryptophp BackdoorMicrosoft SChannel VulnerabilityGoogle Two-Factor Authentication BypassDrupal 7 Core SQLiApache Struts ClassLoader Manipulation Remote Code Execution and Blog PostReflected File DownloadMisfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routersHostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2File Name Enumeration in RailsFlashFloodCanadian BeaconsetTimeout Clickjacking Click here to vote for your favorite web hacks of the year! ***CLOSED*** Final 15 (in no particular order):AIR Flash RCE from PWN2OWNBelkin Buffer Overflow via WebApache Struts ClassLoader Manipulation Remote Code Execution and Blog PostAdvanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512HeartbleedCovert Timing Channels based on HTTP Cache HeadersCanadian BeaconCryptophp BackdoorHacking PayPal Accounts with 1 ClickGoogle Two-Factor Authentication BypassShellShockFacebook hosted DDOS with notes appRosetta FlashPoodleResidential Gateway “Misfortune Cookie”

Tags: web security
  • Pingback: Top 10 Web Hacking Techniques of 2014 | The WordPress C(h)ronicle()

  • Marco D.
    • Eila Shargh

      Great one Marco! It’s been added to the list.

  • Denis Kolegov

    “Covert Timing Channels based on HTTP Cache Headers” (http://www.slideshare.net/dnkolegov/wh102014). Presented at ZeroNights 2014 and SibeCrypt 2014.

    • Eila Shargh

      Thank you for the submission Denis. This one is fantastic! We have added it to our list.

  • http://www.websecurify.com pdp
  • http://homakov.blogspot.com homakov

    there’s no such thing as “covert redirect”, it’s a hype around old known bug http://homakov.blogspot.com/2014/05/covert-redirect-faq.html

    • Eila Shargh

      Great submission! We’ve added it to the list.

  • https://soroush.secproject.com/blog/ Soroush
  • https://soroush.secproject.com/blog/ Soroush
  • Pingback: #HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability | WhiteHat Security Blog()

  • Pingback: #HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation | WhiteHat Security Blog()

  • http://www.sonatype.com/ Jessica Dodson

    The great thing about open source software is that there is a whole team of developers and engineers behind the source code. At the same time, without the control of one single team, vulnerabilities can get passed along or individuals can work to exploit the code. Luckily there are many members of the open source community who work effortlessly to check for security flaws (like with the list in this post), but it serves as a reminder to continuously check your code throughout your DevOps process.

  • Pingback: Top 10 Web Hacking Techniques of 2015 | WhiteHat Security Blog()

  • Jack brown

    world wid hacking tools & sevices avilable

    Contact us :

    hang out: hackitbackd00r@gmail.com

    yahoo IMI: hackitbackdoor@yahoo.com

    skype:rushr00t

    website : https://hackersleaked.blogspot.com

    Stolan Credit cards world wide

    random : 30$ per one

    fullz : 50$ per one (with Dob + SSN + MMN + Driving license + )

    ——————————

    Spamming tools.

    1:Smtp : 20$ for ip (4$ for Domain)

    2:Shell : 30$ per one

    3:Cpanel : 12$ per one

    4:Scam page 40$ for simple (70$ for undetectable)

    5:RDP : 5$ any country

    6:PHP mailer : 25$ per one

    ————————————-

    Carding Tools :

    Used for world wide online buyers

    Socks 60$ any country

    RDP: 25$ any country

    HMA: 20$ unlimited 12 month

    Vip72: unlimited 6 month

    card validator : 60$ (for fixing un-valide card number and bin checker)

    wu Java bypass Script ,(by pass any page with your giving commands)

    —————————————

    Virus/Rate

    hack victum privet porpose earn money makers

    zeus : 200$ (with fud crypted jpg,pdf or doc file)

    key loger : 160$ (for email,pm and btc logs)

    ninja Rat : 120$ (with fud crypted jpeg,pdf or doc file)

    cidital : 130$ (with fud crypted jpeg,pdf or doc file)

    ————————————

    private Scanner tools

    smtp scanner : 350$ (linux based) (ssh/root required for run )

    rdp scnnaer : 400$ (linux based) (ssh/root required for run)

    Smtp+rdp multi scanner : 600$ (linux based) (ssh/root required for run)

    cpanel scanner : 500$ (linux based) (ssh/root + 10 cpanel or shell required for run)

    root scanner : 800$ (linux based) (ssh/root required for run)

    ————————————–

    privet online services.

    As per clinet demand

    This service for limted person used

    privet hack data based world wide

    pad online bills

    privet shipping dropers world wide

    credit card cash out mathods

    privet merchands

    Wire Bank Transfer

    Western Union,

    SSN

    ——————————

    world wid hacking tools & sevices avilable

    Contact us :

    hang out: hackitbackd00r@gmail.com

    yahoo IMI: hackitbackdoor@yahoo.com

    skype:rushr00t

    website : https://hackersleaked.blogspot.com

  • Morgan Sofia

    Do you really need a professional hacker on your school result to make a better grade for you and make you happy more , maybe a trail may convince you about davidtimmyhackprof@gmail.com cos he has really e a bomb in my life for this and helped me out so i have promise to promote and advertise his sense of humor about this and will surely help you out f this in all ways and make you great about having a better school grade result, all forms of hacking an account or you could also message him on # (415) 323-3542 or you can add him on his facebook I.D ‘David Timothy’….Try him and thank me later.

  • Dan

    For all Hacking and Private Investigation Service such as;

    -Facebook, Whatsapp, Snapchat, any Social Media or Chat; Messenger

    -Knowing if your Partner (husband, wife, boyfriend, or girlfriend) is cheating

    -Change of Grades; Examination Hack; Hacking of University Portal

    -Background Checks

    -Email Hacking

    CONTACT: blackwidowctla@gmail.com

  • Ivan

    Hello all

    we are providing Hacking services

    online hacking make money and live better life

    we deals

    All credit card, bank transfer, paypal transfer

    we are also teaching

    hacking (credit card, bank logins, computer hacking)

    carding

    spamming

    coding

    contact#

    lykovine@yahoo.com

  • Shadrack Celumusa

    hello. guys. my friend’s cell phone and e mail has been hacked. every conversation with her husband and all e mails are accessed somewhere. subsequently, she would hear her colleaugues at work making fun of things she shared with husband. how can we assist in this regard

  • Ivan

    Hello all

    am looking few years that some guys comes into the market they called themselves

    hacker, carder or spammer they rip the peoples with different ways and it’s a badly

    impact to real hacker now situation is that peoples doesn’t believe that real hackers

    and carder scammer exists. We are also teaching all types of hacking within a few days

    make funds your own.

    Anyone want to make deal with us any type we are available but

    first will show the proof that our work is real then make a deal like

    ..Wire Bank Transfer

    ..WU

    ..MG

    ..SSN

    ..Hacking stuff

    ..BTC Generator

    ..PM Adder

    ..keylogger / scam pages / shell / hosting / SMTP / RDP / FTP

    Shipping product. Rippers / scammer stay away serious / needy contact about it.

    lykovine@yahoo.com

  • My Trend
  • Tega Reves
  • Hector warnes
  • fibel

    when it comes to Hacking job , we are renowned for our jobs. We never delay services.
    we are certified hackers that can render many services!!!
    Get in touch with us today we render service such as:+University Grades changing
    >Erase Criminal Records hack
    >Driver License
    >Facebook hack, Twitter hack, Instagram hack, Gmail, Yahoo hack
    >Already hacked PayPal, MasterCard, Credit Card untraceable balance
    >Email interception hack
    >Hack computer remotely
    >Whats app hack
    .Email accounts hack
    >hack into any database
    >Bank accounts hack
    >Hack WORD-PRESS Blogs
    >Untraceable IP and all degree of hacking.
    Contact >> PRO.ELITEHACKERS ATGMAIL DOT com

  • ethan carter

    I was able to get evidence on my cheating wife through the service of databasehackerservices AT gmail DOT com … I got detailed
    info about my spouse secret dating, call logs, whatsapp and others..i found out she had many accounts on POF and match…you
    can contact him too he also helped 2 others I know. So I can vouch he lld do a good job. Goodluck

  • moses

    WE GUARANTEE SUCCESS TO HELP OUR CLIENTS WORLDWIDE TO
    -HACK AND GET USERNAME AND PASSWORD OF ANY SOCIAL MEDIA INCLUDING
    -FACEBOOK PASSWORD, TWITTER, INSTAGRAM, IG, YAHOOMAIL, GMAIL, HOTMAIL ETC.
    -WE HACK AND RETRIEVE APPLE PHONES PASSWORDS AND IPAD.
    -BANK TRANSFER TO ANY ACCOUNT OF YOUR CHOICE IN ANY COUNTRY
    -UPGRADE YOUR UNIVERSITY SCORES AND GRADES WITHOUT THE KNOWLEDGE OF THE SCHOOL
    -CODE GENERATION TO HACK AND SHOP ONLINE WITH ANY CREDIT CARDS WITHOUT ALERT FROM THE OWNER.
    -HACK INTO ANY SERVER DATABASE AND CLEAR CRIMINAL RECORDS.
    -HACK BANK ATM CARDS, PIN AND ACCOUNT DETAILS.
    -TRACE AND LOCATE ANYBODY IN THE WORLD.
    -MONITOR ALL PHONES AND EMAIL ADDRESS.
    we provide proofs to satisfy our clients before payment.

    contact us at PROLIFICHACKER20 AT g mail DOT com

    remember to tell your friends about us.

    • Larry Blake

      VERIFIED HACKER FOR HIRE
      Life has taught me great lesson that you
      can’t control someone’s loyalty no matter how good you are to them it
      doesn’t mean that they will treat you the same way.” I have been married
      to my husband for two years with no idea he was cheating. Suddenly i
      started noticing changes in behavior, i suspected something was wrong.
      So i confided in a friend who convinced and introduced me to a hacker.
      He was able to hack into my husband mobile phone, Email and Whatsapp. It
      seemed as though my life was spinning out of control getting to find
      out he has someone else. I filed for a devours just could not continue
      with lies. If you feel you are been exploited in your marriage and you
      need proof.I suggest you give hack major 407 @ g mail . com a try. He has
      been of great help to me and you can benefit from his wealth of
      experience.

    • stella west

      Hello!! after a long search for a hacker to clear my driving records in
      California, i was told about megahackteam at g mail .com by one of my
      employees, he told me what i had to do and the fees and time involved, i
      did not have any DUI, just accidents, to my surprise he was able to
      change them, and after that helped raised my score, no doubt he his who i
      heard him to be.

    • Trent AZIZ

      HELLO EVERYONE, I WAS ABLE TO SPY ON MY CHEATING EX-WIFE’S PHONE WITHOUT
      HER FINDING OUT, IT REALLY HELPED MY LAWYER DURING MY DIVORCE…..YOU CAN
      CONTACT hackmajor 407 (AT) g mail (DOT) com FOR SPYING AND HACKING
      PHONES, COMPUTER, EMAIL, FACEBOOK, WHATSAPP AND OTHER SOCIAL NETWORK
      ACCOUNTS, CHANGE YOUR GRADES OR BOOST YOUR CREDIT SCORE, HIS SERVICES
      ARE EFFIECIENT AND RELIABLE.

      • William kvist

        Are you desperate need to know what your spouse is up to???

        Is your spouse telling you the truth about their locations?

        Do you know you can clear the thoughts and monitor all of your partner/loved ones activities without them even suspecting ?

        Contact (skycrowhackteam at g mail dot com) He offers the best hack services for affordable prices..

    • cooper wesley

      Do you require a certified hacker contact databasehackerservices AT gmail DOT com
      they were able to repair my credit score from 420 to 820 within 48hours of contact, a friend recommend dem to me, i really
      appreciate their work, they are reliable