Cenzic 232 Patent
Paid Advertising
web application security lab

Top 10 Web Hacks of 2006

Jeremiah Grossman put together this year’s top 10 web hacks and boy is it fun. Zeno, and I had our hands in throwing our favorites into the pot but the list turned out to be pretty similar for all of us. So although it took countless emails to get threw the few discrepancies I think we all agreed on the top 10. Here’s his list:

Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model). This was really a huge breakthrough in the web app sec space. I was dying to find a way to do server sweeps in Java to circumvent Firewalls. Jeremiah took it to that next place and holy crap did it shake things up when he did. I don’t think people are going to look at their firewall the same way again.

Internet Explorer 7 “mhtml:” Redirection Information Disclosure. If you want complete cross domain leakage for the price of using Internet Explorer this is your one stop shop. I’m really surprised this hasn’t been closed down yet. Sure there are hacks to stop it, but no one is doing them, so for all intents and purposes this hole is open and will stay that way until Microsoft issues a patch. Don’t hold your breath on that patch though. It’s been months and it’s still open.

Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning. This was something I had tried and failed to do on a number of attempts. But smarter people than I figured out ways to do it by combining tricks and by shutting down connections (never thought of that one). Very cool stuff.

Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images). I think we’ve barely scratched the surface on this one. There are many scary things that could be done here by all sorts of different people for all sorts of motives. Why wouldn’t you want to know where people had been? It’s a profiling dream!

Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3′. I had a very funny conversation today with one of my readers. He basically said he’s going back to notepad. Yes, it’s that bad. And the more interesting part is - it’s getting worse by the day.

Forging HTTP request headers with Flash. I can’t tell you how many servers were affected by the Expect vulnerability but it’s in the millions and every one of them needs to be patched. This issue won’t be gone for a while yet and I think there is still a lot more to be done here.

Exponential XSS. This is the next evolution in XSS in my mind. So far we’ve stuck to horizontal XSS worms, that affect every user a little. Why not go vertical and affect every user a lot? Especially for targeted attacks this has a lot of scary potential.

Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII). I’ll be the first to admit I haven’t done nearly enough research beyond what I’ve been able to accomplish with my fuzzer. Thanks to Cheng Peng Su for opening all of our eyes to how powerful this could be for filter evasion. I just can’t wait to see what the next big issue is.

Web Worms - (AdultSpace, MySpace, Xanga). We can all say we were here when it first happened. It’s only going to get worse, folks.

Hacking RSS Feeds. Attacking rich applications that go out of the traditional boundaries of browsers is the wave of the future. As more devices and programs become web enabled you’re going to see a lot more of this stuff and a lot more newcomers in the space with mistakes of their own to make.

Can you believe all of that happened in one year? And that’s nowhere near everything. We didn’t even start talking about all the PHP stuff floating around (complete access to servers is bad - real bad) or any SQL injection stuff, etc… So love it or hate it, that’s our top 10!

8 Responses to “Top 10 Web Hacks of 2006”

  1. neoeno Says:

    I hate to go on about it.. but damnit this year was not the first to see web worms! TeenOpenDiary saw many, many, before those times, some of which (in my misguided youth) I created myself.

  2. kuza55 Says:

    @neoeno

    Same can be said for the Exponential XSS stuff. The first I heard of it was when I saw the XSS Proxy stuff originally (and that was in 2005), but I’m sure its been around longer than that…..

    But there’s come cool stuff there (Especially the Anit-DNS Pinning), so does it really matter that some of the things there aren’t that new? We get a big list of everything important this year where we can see if we missed anything…..

  3. DoZ Says:

    “Top 11 Web Hacks of 2006″ XSS found in Sla.ckers.org !

    Pic!~ http://img92.imageshack.us/img92/5065/slackersorgvk5.png

    PS. DOS is King Of XSS

  4. RSnake Says:

    Cute, not exactly the most spectacular hack in the world given that I didn’t write the software but yes, it’s an issue. I patched the hole. Thanks for letting us know.

  5. DoZ Says:

    Patch not fixed look here!

    http://sla.ckers.org/forum/list.php?2

  6. maluc Says:

    and to be fair doz, hackerscenter’s forum has an XSS hole as well, as it uses version 3.6.3 of vBulletin

    http://www.securityfocus.com/bid/21157/info

    but it’s a good find, so nice job

  7. DOZ Says:

    But that dosent mean to bann my ip … unban my ip

  8. RSnake Says:

    No one banned your IP. You got yourself banned by trying to run server vulns against us. We get thousands of newbies attacking us, there’s no way to know who is who so everyone who does that gets banned automatically. It wastes our bandwidth for people to test things that don’t even work against our server. Like I said there’s no way to know which IP is yours so there’s no way to unban you without unbanning everyone.