Press Releases

WhiteHat Security Announces the Tenth Annual Top 10 Web Hacking Techniques for 2015

SANTA CLARA, Calif. – April 20, 2016 – WhiteHat Security, the only application security provider that combines the best of technology and human intelligence, today announced the Top 10 List of Web Hacking Techniques for 2015. The number one threat identified over the last year is FREAK (Factoring Attack on RSA-Export Keys), a substantial security vulnerability that left users of modern browsers open to attack when visiting millions of websites.

Now in its tenth year, the Top 10 Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. As the only list of its kind in the industry, the Top 10 provides a centralized knowledge base, captures year-to-year trends in the Web security industry and recognizes the security experts that work at the forefront of Web security research. The list is chosen by the security research community, coordinated by WhiteHat Security.

“Every year, the security community produces a stunning number of new techniques that are published in various white papers, blog posts, articles and conference presentations,” said WhiteHat Security Manager, Threat Research Center, Johnathan Kuskos, who leads this community effort. “Within these thousands of pages are the newest, most creative ways to attack websites, browsers and their mobile equivalents. We created the Top 10 Web Hacks as a way to encourage information sharing within the InfoSec community, help IT professionals stay up-to-date with the recommended fixes and recognize the researchers who contribute excellent work in uncovering vulnerabilities.”

After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces:

  1. FREAK (Factoring Attack on RSA-Export Keys)
  2. LogJam
  3. Web Timing Attacks Made Practical
  4. Evading All* WAF XSS Filters
  5. Abusing CDN’s with SSRF Flash and DNS
  6. IllusoryTLS
  7. Exploiting XXE in File Parsing Functionality
  8. Abusing XLST for Practical Attacks
  9. Magic Hashes
  10. Hunting Asynchronous Vulnerabilities

In a continuation of the trend from previous years, a branded vulnerability has taken both the first and second spot. In 2014, Heartbleed, ShellShock and Poodle took the first three places. This year, the judges placed FREAK, the SSL/TLS vulnerability in the first position, citing its novelty, pervasiveness and potential for widespread abuse as the key reasons for its high ranking.

“One of the key trends from the list this year is that legacy code continues to haunt the industry and we will remain living in the age of downgrade attacks, such as FREAK, for quite some time,” added Kuskos. “Of all the hacks in 2015, it’s the web hacks that are really making the headlines. Hackers just aren’t interested in hacking an individual’s ‘My Documents’ folder these days; they know they can do far more damage by gaining access to Facebook, Gmail, Dropbox, and other web or cloud-based applications.”

For more information:

  • Read the Top 10 Web Hacks of 2015 blog.
  • Register to attend the Top 10 Web Hacks of 2015 webinar, featuring Johnathan Kuskos, on May 3 at 11:00am PT.

# # #


About WhiteHat Security

WhiteHat Security has been in the business of securing web applications for 15 years. Combining advanced technology with the expertise of its global Threat Research Center (TRC) team, WhiteHat delivers application security solutions that reduce risk, reduce cost and accelerate the deployment of secure applications and web sites. The company’s flagship product, WhiteHat Sentinel, is a software-as-a-service platform providing dynamic application security testing (DAST), static application security testing (SAST), and mobile application security assessments. The company is headquartered in Santa Clara, Calif., with regional offices across the U.S. and Europe. For more information on WhiteHat Security, please visit, and follow us on Twitter, LinkedIn and Facebook.


Leah McLean
Voce Communications for WhiteHat Security
P: (415) 308-7928
E: [email protected]