Sunday, 1 May 2016

The Top 10 Web Hacking Techniques Used by the Hackers

The most influential research on vulnerabilities and exploits, as voted on by the security community.
FREAK
SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption.
Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team
Further details on the research: https://freakattack.com

Logjam
Another TLS vulnerability that allows man-in-the-middle attacks by downgrading vulnerable TLS connections to 512-bit encryption.
Researchers: David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
Additional information: https://weakdh.org

Web Timing Attacks Made Practi
cal

Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.
Researchers: Timothy Morgan and Jason Morgan
Video: https://www.youtube.com/watch?v=KirTCSAvt9M

Evading All* WAF XSS Filters
Research that shows how it is possible to evade cross-site scripting filters of all popular web-application firewalls.
Researcher: Mazin Ahmed
Additional information: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html

Abusing CDN’s with SSRF Flash and DNS
Research highlighted at Black Hat looking at a collection of attack patterns that can be used against content delivery networks to target a wide range of high availability websites.
Researchers: Mike Brooks and Matt Bryant
Video: https://www.youtube.com/watch?v=ekUQIVUzDX4
IllusoryTLS
An attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor.
Researcher: Alfonso De Gregorio
Additional information: http://www.illusorytls.com
Exploiting XXE in File Parsing Functionality
A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.
Researcher: Will Vandevanter
Video: https://www.youtube.com/watch?v=ouBwRZJHmmo
Abusing XLST for Practical Attacks
Research and proof-of-concept attacks highlighted at Black Hat that show how XSLT can be leveraged to undermine the integrity and confidentiality of user information.
Researcher: Fernando Arnaboldi
Video: https://www.youtube.com/watch?v=bUcd-yibTCE

Magic Hashes
Looks into a weakness in the way PHP handles hashed strings in certain instances to make it possible to compromise authentication systems and other functions that use hash comparisons in PHP.
Researchers: Robert Hansen and Jeremi M. Gosney
Additional information: https://www.whitehatsec.com/blog/magic-hashes/

Hunting Asynchronous Vulnerabilities

Research presented at 44CON delves into how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.
Researcher: James Kettle
Video: https://vimeo.com/ondemand/44conlondon2015

0 comments:

Post a Comment