Now in its tenth year, the Top 10 List of Web Hacking Techniques takes a step back from the implications of an attack to understand how they happen. The list is chosen by the security research community, coordinated by WhiteHat Security.
After receiving 39 submissions detailing hacking techniques discovered in 2015, the following hacks were voted into the top 10 spaces:
- FREAK (Factoring Attack on RSA-Export Keys)
- Web Timing Attacks Made Practical
- Evading All* WAF XSS Filters
- Abusing CDN’s with SSRF Flash and DNS
- Exploiting XXE in File Parsing Functionality
- Abusing XLST for Practical Attacks
- Magic Hashes
- Hunting Asynchronous Vulnerabilities
“Based on this year’s Top Ten, it is safe to say that SSL/TLS remains one of the key targets for emerging hacking techniques. Over the ten years of Top 10 lists, TLS hacks have come up time and time again. Examples like Heartbleed and POODLE dominated the headlines last year and once again, TLS attacks have taken three of the Top 10 places this year. In 2016, we have already seen the DROWN attack, which reportedly affects one in three websites. Based on the volume of legacy code still in existence, we will no doubt see more downgrade attacks over the coming year,” said Johnathan Kuskos, Manager, Threat Research Centre at WhiteHat Security, told Help Net Security.
Whilst the spectrum of attack techniques is constantly evolving, the main avenues of exploited attack change less frequently, according to Paul Farrington, Senior Solution Architect at Veracode. “Injection-style attacks remains stubbornly top of the OWASP Top 10 (2013) vulnerabilities list. This its closely followed by XSS attacks, which are extremely prevalent in web applications. The message here is to keep one eye on emerging vulnerabilities – always interesting and potentially important.”
“Keep both eyes on the underlying weakness in code – represented as a style of coding. Taking that approach will help to ensure that the engineering team is better placed to thwart the ingenuity of the hacker, because they’ve built defences into the software where flaws previously existed. Static analysis provides the greatest yield of potential vulnerabilities because it inspects the DNA of the software. Dynamic analysis is a useful complementary technique that helps to identify a fuller range of problems when used in combination,” he concluded.