Jeremiah Grossman put together this year’s top 10 web hacks and boy is it fun. Zeno, and I had our hands in throwing our favorites into the pot but the list turned out to be pretty similar for all of us. So although it took countless emails to get threw the few discrepancies I think we all agreed on the top 10. Here’s his list:
Internet Explorer 7 “mhtml:” Redirection Information Disclosure. If you want complete cross domain leakage for the price of using Internet Explorer this is your one stop shop. I’m really surprised this hasn’t been closed down yet. Sure there are hacks to stop it, but no one is doing them, so for all intents and purposes this hole is open and will stay that way until Microsoft issues a patch. Don’t hold your breath on that patch though. It’s been months and it’s still open.
Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning. This was something I had tried and failed to do on a number of attempts. But smarter people than I figured out ways to do it by combining tricks and by shutting down connections (never thought of that one). Very cool stuff.
Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images). I think we’ve barely scratched the surface on this one. There are many scary things that could be done here by all sorts of different people for all sorts of motives. Why wouldn’t you want to know where people had been? It’s a profiling dream!
Backdooring Media Files (QuickTime, Flash, PDF, Images, Word , and MP3′. I had a very funny conversation today with one of my readers. He basically said he’s going back to notepad. Yes, it’s that bad. And the more interesting part is - it’s getting worse by the day.
Forging HTTP request headers with Flash. I can’t tell you how many servers were affected by the Expect vulnerability but it’s in the millions and every one of them needs to be patched. This issue won’t be gone for a while yet and I think there is still a lot more to be done here.
Exponential XSS. This is the next evolution in XSS in my mind. So far we’ve stuck to horizontal XSS worms, that affect every user a little. Why not go vertical and affect every user a lot? Especially for targeted attacks this has a lot of scary potential.
Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII). I’ll be the first to admit I haven’t done nearly enough research beyond what I’ve been able to accomplish with my fuzzer. Thanks to Cheng Peng Su for opening all of our eyes to how powerful this could be for filter evasion. I just can’t wait to see what the next big issue is.
Web Worms - (AdultSpace, MySpace, Xanga). We can all say we were here when it first happened. It’s only going to get worse, folks.
Hacking RSS Feeds. Attacking rich applications that go out of the traditional boundaries of browsers is the wave of the future. As more devices and programs become web enabled you’re going to see a lot more of this stuff and a lot more newcomers in the space with mistakes of their own to make.
Can you believe all of that happened in one year? And that’s nowhere near everything. We didn’t even start talking about all the PHP stuff floating around (complete access to servers is bad - real bad) or any SQL injection stuff, etc… So love it or hate it, that’s our top 10!