Vulnerabilities-Web Application Security

Top Ten Web Hacking Techniques of 2012

Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year: 2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)    

The Top Ten

  1. CRIME (12, 3 4) by Juliano Rizzo and Thai Duong
  2. Pwning via SSRF (memcached, php-fastcgi, etc) (23, 4, 5)
  3. Chrome addon hacking (2345)
  4. Bruteforce of PHPSESSID
  5. Blended Threats and JavaScript
  6. Cross-Site Port Attacks
  7. Permanent backdooring of HTML5 client-side application
  8. CAPTCHA Re-Riding Attack
  9. XSS: Gaining access to HttpOnly Cookie in 2012
  10. Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)


Honorable Mention

11. Using WordPress as a intranet and internet port scanner 12. .Net Cross Site Scripting – Request Validation Bypassing (1) 13. Bruteforcing/Abusing search functions with no-rate checks to collect data 14. Browser Event Hijacking (23) 15. Bypassing Flash’s local-with-filesystem Sandbox Process oversight. Due to the original discovery date, January 4th, 2011, the technique should not have been included in this years list.   How the winners are selected…  

Phase 2: Panel of Security Experts [CLOSED]

Judges: Ryan BarnettRobert AugerRobert Hansen (CEO, Falling Rock NetworksDinis Cruz,  Jeff Williams (CEO, Aspect Security), Peleus UhleyRomain Gaucher (Lead Researcher, Coverity), Giorgio MaoneChris WysopalTroy HuntIvan Ristic (Director of Engineering, Qualys), and Steve Christey (MITRE).

From the result of the open community voting, the final 15 Web Hacking Techniques will be voted upon by panel of security experts. Using the exact same voting process as phase 1, the judges will rank the final twenty based of novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top Ten Web Hacking Techniques of 2012!



Phase 1: Open community voting for the final 15 [CLOSED]

Each attack technique (listed alphabetically) receives a certain amount of points depending on how highly the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top fifteen overall.

Final 15 List (In no particular order):



1) The winner of this years top ten will receive an updated Web security book library! If any really good books have been recently published and missing, please let me know. I’ll add it! Violent Python, Clickjacking und UI-Redressing,Web Application Defender’s CookbookSeven Deadliest Web Application AttacksA Bug Hunter’s DiaryThe Tangled WebThe Web Application Hacker’s HandbookWeb Application ObfuscationXSS AttacksHacking Web Apps. 2) After the open community voting process, two survey respondents will be chosen at random and given a $50 Amazon gift card.

Complete 2012 List