Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organisations millions every year. Keeping up with these attacks can be hard work for any security professional.
WhiteHat Security, with the help of an open community and a selected panel of industry experts, has compiled a list of the top ten latest web hacking techniques from 2012 to help highlight these new attacks:
The Top Ten
CRIME
Pwning via SSRF (memcached, php-fastcgi, etc)
Chrome addon hacking
Bruteforce of PHPSESSID
Blended Threats and JavaScript
Cross-Site Port Attacks
Permanent backdooring of HTML5 client-side application
CAPTCHA Re-Riding Attack
XSS: Gaining access to HttpOnly Cookie in 2012
Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)
Honourable Mentions
11. Using WordPress as a intranet and internet port scanner
12. .Net Cross Site Scripting – Request Validation Bypassing (1)
13. Bruteforcing/Abusing search functions with no-rate checks to collect data
14. Browser Event Hijacking (2, 3)
15. Bypassing Flash’s local-with-filesystem Sandbox
This is the seventh year White Hat has conducted this analysis, past top Tens and the number of new attack techniques discovered in each year can be found here:
2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)
To find out how the list was compiled and to obtain a full list of all the latest techniques from 2012, please visit: https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
WhiteHat Security will also be holding a webinar on 27th March to discuss the latest and most insidious Web-based attacks. You can join the webinar to learn the latest of the worst in Web hacks, and how an organisation can protect itself from these attacks.