UPDATE – 4/20/2016 We have our Top 10 list folks! After a lot of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Web Hacking Techniques for 2015:
- FREAK (Factoring Attack on RSA-Export Keys)
- Web Timing Attacks Made Practical
- Evading All* WAF XSS Filters
- Abusing CDN’s with SSRF Flash and DNS
- Exploiting XXE in File Parsing Functionality
- Abusing XLST for Practical Attacks
- Magic Hashes
- Hunting Asynchronous Vulnerabilities
Congratulations to the team that discovered FREAK!
The FREAK attack was discovered by Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. Further disclosure was coordinated by Matthew Green. This report is maintained by computer scientists at the University of Michigan, including Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J. Alex Halderman. The team can be contacted at [email protected].
Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos will be presenting the list at AppSec Europe on June 1st. Come check it out!
You can also attend the Top Ten Web Hacks of 2015 webinar.
Agree with the list? Disagree? Share your comments below.
With 2015 coming to a close, the time has come for us to pay homage to top tier security researchers from the past year and properly acknowledge all of the hard work that has been given back to the Infosec community. We do this through a nifty yearly process known as The Top 10 Web Hacking Techniques list. Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its tenth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent research.
The vulnerabilities and hacks that make this list are chosen by the collective insight of the infosec community. We rely 100% on nominations, either your own or another researcher, for an entry to make this list!
Phase 1: Open community submissions [Jan 11-Feb 1]
Comment this post or email us top10Webhacks[/at/]whitehatsec[dot]com with your submissions from now until Feb 1st. The submissions will be reviewed and verified.
Phase 2: Open community voting for the final 15 [Feb 1-Feb 8]
Each verified attack technique will be added to a survey which will be linked below on Feb 1st The survey will remain open until Feb 8th. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end, all points from all ballots will be tabulated to ascertain the top 15 overall.
Phase 3: Panel of Security Experts Voting [Feb 8-Feb 15]
From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2015!
Current List of 2015 Submissions (in no particular order)
– Dom Flow
– IE11 RCE
– Magic Hashes
– Formaction Scriptless attack updates
Edit 3: Nominations have now ended and voting has begun! https://www.surveymonkey.co.uk/r/RXJF3QW ***CLOSED***
Edit 2: Submissions have been extended to February 1st! Keep sending in those submissions! Currently we have 32 entries!
Edit: We will be updating this post with nominations as they are received and vetted for relevance. Please email them to Top10Webhacks[/at/]whitehatsec[dot]com.
– Magic Hashes