Submit Your Top Web Hacking Techniques for 2008
Fri, 30 Jan 2009 00:03:06 GMT
Jeremiah is calling all security researchers and hobbyists to submit their favorite Web hacking techniques released during 2008. There are some nice perks too. I say "Sure!".
Although I don't like the fact that there are judges appointed to select which one is the best one. "Where did the democracy go?" With all the vastly expressive, social technologies that we have today, we are still stuck with juries.
In a similar fashion, "The Pwnie Awards" lacks any reality, imho. The process is meant to be open but the organizers failed to show that this is actually the case. Instead, it looks like the awards are selected by a few, meant for a few, and understood by less. Brilliant quality research, events and news are totally missed because they don't fit into someone's perception of reality. No offense to the organizers, but this is really how it looks like from far.
We've got some of our research in Jeremiah's original list. I recommended a few more entries to be included and they were. In no particular order, here is the full list of all our entries:
- Frame Injection Fun
- Cross-site File Upload Attacks
- JavaScript Global Namespace Pollution
- Local DoS on CUPS to a remote exploit via specially-crafted webpage
- Navigation Hijacking (Frame/Tab Injection Attacks)
- UPnP Hacking via Flash
- Total surveillance made easy with VoIP phone
- Social Networks Evil Twin Attacks
The things that were not added are:
- Router Hacking Challenge (one of the biggest hacker challenges done so far and all of it is web stuff)
- Call Jacking: Phreaking the BT Home Hub (really cool web hack)
- The Pownce Worm (just another worm)
So there you have it!
Archived Comments
jeremiahI'd preferred to have an open voting system decide the eventual outcome, if fact, this is what I did the last time. However, when doing this in the midst of a bunch of Web hackers, its a bit easier said than done. :) What if we used a public voting system create a short list and let the judges order the final 10. Or, perhaps the other way around?
I don't know J :) Saying this is like saying that there is no point of securing Web Application as they will get hacked eventually. I think that it can be done and it can be made secure too. Here is something that wont be easy to trick.
Recaptcha + Email Verification = Vote you should be able to trust!
If you - of all people - can't secure a webapp, Jeremiah, how can you expect anyone else to?
(no offence)
sometimes security experts are just keen on not taking the risk so that they can have clean names :) although we all know that people make mistakes, regardless how good they are. it is a proven fact.
There were a couple of factors that went into my decision for this year. And remember, last year I did an open vote system via survey monkey.
1) Ballot stuffing last year was a real problem. My decision had nothing to do with the "security" of a site, but a lot more to do with the amount of workload involved.
2) While we got results last year I felt were representative of the communities vote, myself and several others did not feel it was accurate. At least a couple very powerful attacks were left off the list and should have easily overtaken others.
So for this year I felt it would be better to leave it to a solid panel of experts that could fully investigate the merits of the attacks to come up with a better list. Will it be perfect? No, of course not, impossible to make everyone happy. Will it be better than last year? Yes, that is my hope.
J,
why didn't you form an internal group/mail list of experts, 30-50 people, to form the list of web hacking techniques and decide between each other which one is the best? that way, the whole thing will be consistent from start.
Is that a subtle way of saying you want on the judges panel? ;) I would have asked you actually, but you were in the running for the top ten. Needed to limit bias. Would have also been the case for the "30-50" others likely. That's why no RSnake and a bunch of other researchers.
Had to choose some solid security people with some webappsec background.
haha :), ok, ok... I understand that it may look like that but this is definitely not the case :) just trying to improve the way these things are handled in the future. and there is alway room for improvements. I am interested what the judges will come with.
From my personal point of view the top web hacking technique for 2008 is XSS via Adobe Flash which is still active in current version of Adobe Flash pluggin. I have successfully tested XSS keylogger via this attack vector and in my opinion this vector has potential to become very dangerous for the future, if not fixed.
Kinda like asking one person or even a team of people to secure everything in a company, you can't ask one person, team, group of judges, or even a general representation of your traffic/hits to poop out a list of the best things.
There will always be some person or group of another pdp who feels slighted or does not agree with the weighting or feels something was left out of wrongly included. Let alone getting respectful concensus inside the group itself! "Bah, take my name off the list because I disagree!"
I think that's going to be the nature of something like a list of top hacks or techniques or issues.
By the way, democracy does not always work. I would much rather have a good panel of judges rather than the dirty masses of the public...
The best I hope for in lists like this are as follows:
- eventual consistency (in scope and definitions)
- possible information that I didn't know before
- opinions from experts on what I should care about in my enterprise
That actual ordering or bragging rights on things like this are not important and will forever be open to debate by everyone.