White Hat Security: Top 10 most insidious web-based attacks and hacking techniques

As you probably know, Grossman has been listing the Top Ten Hacks since 2006, focusing on new and creative web attacks. The number and complexity of attacks increase every year. White Hat Security posted the newest list of most dangerous hacking techniques at the end of last year, but today during a WhiteHat Security webinar about the Top 10 Web Hacks of 2012, Jeremiah Grossman, Founder and CTO of WhiteHat Security, and Matt Johansen discussed “the latest and most insidious Web-based attacks.”

Top 10 Web Hacks 2012 from Matt Johansen

While listening to the webinar, what struck me the most was how often an old attack method is honed into something even more “deadly.” In other cases, the new twist in a vulnerability is meant to abuse some new “functionality.” For example, cross-site scripting vulnerabilities have been exploited since the 1990s, yet “new” XSS attack methods were among the most dangerous web attacks in 2012.

Sometimes an attack is based off previous research and then turned into a killer attack tool. Other times, there is new research stemming from an old vulnerability, which is then aimed at a next-generation technology like HTML5.

Take #5: Blended Threats and JavaScript for an example where the attack is taking advantage of outdated security in a router. Millions of routers in Brazil were “victimized” and the worst part might be that the attacker uses malicious code that forces the user’s own browser to attack and flash his or her own router, resulting in a “permanent” compromise. Basically anyone with a browser was a potential victim. During the webinar, they said that this attack was so easy that you could teach your grandma to do it. In case you are curious, one of the best ways to protect yourself is to change the default router password.

Chrome add-on hacking was interesting and really snagged my attention when slide 60 featured “Feedly,” since Google is killing Reader and I’m playing around with Feedly and a few others. Grossman and Johansen warned you to beware of any app that has “access to your data on all websites.” We know that, yet the desperate hunt for a decent RSS reader could allow someone to overlook it.

White Hat Security also pointed out that Juliano Rizzo and Thai Duong were listed at the #1 Top Web Hacking Technique for the third year in a row, making them 3-Peaters. In 2012, they “won” with CRIME. In 2011, they created and won the top spot with the BEAST attack that 75% of websites were still vulnerable to as of April 2012. Even sadder, almost a year later in 2013, 65.7% of sites are still vulnerable, according to SSL Pulse. In 2010, the dynamic duo won with their “Padding Oracle Crypto Attack.” Ironically, the more things change, the more they stay the same, since that attack was first published in 2002. In 2013, there is a “new” variant via the “Lucky Thirteen attack.”

Is this a security awareness, or lack thereof, issue? Bruce Schneier recently wrote about how security awareness training isn’t the answer, which in turn sparked another article that stated, “arguments against security awareness are short-sighted.”

If you didn’t previously check out White Hat Security’s top 10 hacks, I encourage you to take the time to look at the presentation slides that suggest some ways in which you can protect yourself. The web hacks cost organizations millions upon millions every year, yet sometimes it’s simply a matter of taking the time to patch an old hole or change a default password. The audio version should be available tomorrow.

You should also read the Top 10 Web Hacking Techniques for 2012 on White Hat Security with all the links so you can study them in-depth. However, the following were the best of the worst and most dangerous new web-based attacks.

1. CRIME by Juliano Rizzo and Thai Duong
2. Pwning via SSRF (memcached, php-fastcgi, etc)
3. Chrome addon hacking
4. Bruteforce of PHPSESSID
5. Blended Threats and JavaScript
6. Cross-Site Port Attacks
7. Permanent backdooring of HTML5 client-side application
8. CAPTCHA Re-Riding Attack
9. XSS: Gaining access to HttpOnly Cookie in 2012
10. Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)

Lastly, with the 300 Gbps DDoS attacks that are causing congestion and a general slowness in the Intertubes, if you have no idea what to do if your site is attacked, White Hat Security’s Robert Hansen created a DDoS Runbook to help you prepare and have a game plan for if and when you get hit.