Tuesday, January 08, 2008

Calling all Web Hacks of 2007

As RSnake, Robert Auger, and I released in 2006, we’ll be putting together a Top 10 Web Hacks for 2007. The difference this time will be it’ll open to a public vote! Everyone will get a chance to weigh in on what they think the Top Ten for this year should be. Hey why not, it is an election year. :) To be clear the “hacks” we’re interested in are the new techniques released over the last year - we’re not talking compromises or “incidents”, but the real research behind it all.

The hardest part is collecting a rather complete list of references to vote on, they’re all over the place, so that’s the reason for this post. Below is what I’ve gathered so far, and if you know of others, please comment them in with the title and link and I’ll add them. In the next few days the list will be compiled and I’ll create an open survey.


HScan Redux
ISO-8895-1 Vulnerable in Firefox to Null Injection
Firefox Save As Complete Issue
MITM attack to overwrite addons in Firefox
Microsoft ASP.NET Request Validation Bypass Vulnerability
Non-Alpha-Non-Digit 3
Steal History without JavaScript
Port Scan without JavaScript
Login Detection without JavaScript
Anti-DNS Pinning ( DNS Rebinding ) : Online Demonstration
Username Enumeration Timing Attacks (Sensepost)
Google GMail E-mail Hijack Technique
Recursive Request DoS
XSS Vulnerabilities in Common Shockwave Flash Files
Anti-DNS Pinning in the News!
Exaggerating Timing Attack Results Via GET Flooding
Initiating Probes Against Servers Via Other Servers
Effects of DNS Rebinding On IE’s Trust Zones
Paper on Hacking Intranets Using Websites (Not Web Browsers)
More Port Scanning - This Time in Flash
Res:// Protocol Local File Enumeration
Res Timing Attack
IE6.0 Protocol Guessing
IE 7 and Firefox Browsers Digest Authentication Request Splitting
Hacking Intranets Via Brute Force
Hiding JS in Valid Images
Internet Archiver Port Scanner
Noisy Decloaking Methods
Code Execution Through Filenames in Uploads
Cross Domain Basic Auth Phishing Tactics
Additional Image Bypass on Windows
Detecting users via Authenticated Redirects
Passing Malicious PHP Through getimagesize()
Turn Any Page Into A Greasemonkey Popup
Enumerate Windows Users In JS
Anti-DNS Pinning ( DNS Rebinding ) + Socket in FLASH
Iframe HTTP Ping
Read Firefox Settings (PoC)
Stealing Mouse Clicks for Banner Fraud
(Non-Persistent) Untraceable XSS Attacks
Inter Protocol Exploitation
Detecting Default Browser in IE
Bypass port blocking in Firefox, Opera and Konqueror.
LocalRodeo Detection
Image Names Gone Bad
IE Sends Local Addresses in Referer Header
PDF XSS Can Compromise Your Machine
Universal XSS in Adobe’s Acrobat Reader Plugin
Firefox Popup Blocker Allows Reading Arbitrary Local Files
IE7.0 Detector
overwriting cookies on other people’s domains in Firefox.
Embeding SVG That Contains XSS Using Base64 Encoding in Firefox
Firefox Header Redirection JavaScript Execution

15 comments:

Unknown said...

I'll just suggest kuza55 talk on 24c3

He talked about a lot of stuff, you should read about it.

http://outpost.h3q.com/fnord/24c3-torrents/24c3-2212-en-unusual_web_bugs.mp4.torrent

There's really a lot of research on there.

Unknown said...

btw here are some other blogs that should be checked:
http://www.wisec.it/sectou.php
http://xs-sniper.com/blog/
http://www.thespanner.co.uk/
http://hackademix.net/
http://www.gnucitizen.org/
http://www.0x000000.com/
http://p42.us/

of course, sla.ckers forums:
http://sla.ckers.org/forum/

Anonymous said...

why don't you leave this to the government?! they have the proper
resources to collect the data and calculate it accurately. what will
it mean if your readers vote a certain new technique? will that change
a security situation? what it the point is my main reasoning. ok, it
might be just for fun, but can't we keep the funnies off the mailing
lists... no one is interested in games. security is a serious subject,
we're not interested in mindless statistics you collect for what will
be an inaccurate vote with no real meaning. well i'm sure there are
some cheap websites like securityfocus who are listening in and will
probably post the results because january is usually a slow news day
time of year, but yeah overall this is a waste of everyones time
finding the new stuff to put in the vote and then voting on them. what
happens if you discover something was missed out?! ah well, i'll keep
an eye on whats going on but i personally think this is a dumb ass
exercise which will ultimately prove nothing. i'll priase you when the
2008 research begins.. but for now i bash you for this stupid blog
entry which reflects last years trends which no one cares about
anymore. lets keep things current not in the past all the time. folks
like me who are into web security know what the critical new
techniques of 2007 were, and if everyone else already doesn't know
then i suggest you unsubscribe and get a new career. "RSnake, Robert
Auger, and I" lmfao who do you lot think you are? the government don't
need your help and neither does anyone else. Get lost and take off the
ego hat in 2008. Be sure to pass on my comment to robert and snakey
poops. good bye.

Anonymous said...

You're forgetting some real good ones from xs-sniper:

http://xs-sniper.com/blog/2008/01/08/theres-an-oak-tree-in-my-blog/
http://xs-sniper.com/blog/2007/09/24/stealing-pictures-with-picasa/
http://xs-sniper.com/blog/2007/07/24/remote-command-execution-in-firefox-2005/

The picasa and Google Docs get my vote.

Jeremiah Grossman said...

many thanks sirdarckcat, I'll start digging around through the URLs. This stuff takes a while.

Anonymous said...

Hi Jeremiah,

Your link regarding ASP.NET request validation bypass pointing to old one. (about 2003) New one is MS07-040 - http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx

And a shameless plug:)
XSS Tunnelling

Anonymous said...

Getting remote admin access to a router that as NO Internet-visible services via auth bypass + CSRF web bugs. The exploit even notifies the attacker via email when a router has been owned: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-4

(other hacks also included in the same post)

Anonymous said...

full details for the latest ASP.NET request validation bypass: http://www.procheckup.com/Vulner_PR0703.php

and more info: http://michaeldaw.org/news/news-030407/

Nate McFeters said...

JG,

How bout throwing a bone me and Billy Rios's way?

I think someone else also mentioned it... the protocol handling stuff we've been abusing all year (which lead to the PDF exploit as pulled off by PDP and made popular by a worm) and how about our exploit that allowed an attacker to steal images from a user that has Google's Picasa installed (great instance of XSS + URI Handling Issues + Dangerous Features + DNS Rebinding with Flash).

Firefox File Handling Woes

Stealing Pictures with Picasa

Or how bout Billy's newest stuff on pwning Google Docs?

There's an Oak Tree in My Blog

Maybe I'm biased cause it was part my research, but I gotta say I like those better than several on the list.

Jeremiah Grossman said...

@Ferruh, thanks for the link update, nice catch!

@Nate, No way I'd leave out you and Billy. Thanks for the links I'll add em to the list.

Anonymous said...

The Firefox 'save as complete' issue is not from 2007, RSnake stated it is much older (in a thread on sla.ckers).

You should remove this from the list.

Anonymous said...

Hey Jeremiah, take a look at fully owning a blogger blog via CSRF: http://www.gnucitizen.org/blog/csrf-ing-blogger-classic

and hijacking secondlife accounts via CSRF: http://www.gnucitizen.org/blog/csrf-ing-blogger-classic

yes, CSRF is the "new" roach of the web :)

Nate McFeters said...

Thanks JG!

Before I forget, let's add the SecondLife pWn1ch1wa by Dino Dai Zovi and Charlie Miller. I mean, how cool was that? The victim's avatar actually gives you $12 Linden dollars and shouts "I've been hacked!". It's like a damn Hacker movie or something. Let's recognized Dino and Charlie for their consistent Bad Ass-ery.

http://www.securityevaluators.com/sl/

Anonymous said...

gnucitizen's secondlife link should be: http://www.gnucitizen.org/blog/ie-pwns-secondlife

Anonymous said...

I really liked "Favorites Gone Wild".
(http://blog.watchfire.com/wfblog/2007/10/favorites-gone.html)