Votación para las mejores técnicas de hacking web del 2011

Cada año la comunidad que se dedica a la seguridad web produce una gran cantidad de nuevas técnicas de hacking que son publicadas en blogs, artículos, white papers, listas de correo, etc.

Si recordáis, el año pasado ya os mostramos las 10 mejores técnicas de hacking web en el 2010, un ranking patrocinado por Black Hat, OWASP y White Hat Security que fue presentado en la conferencia IT_Defense 2011.

Para este año además os animamos a que participéis activamente en la elección de las mejores técnicas del 2011. ¿Cómo? Pues la primera fase de la votación está abierta a todo el mundo hasta el próximo 20 de febrero. Podréis votar vuestras 15 favoritas entre 50 preseleccionadas o especificar alguna otra que consideréis oportuna. Después, el 26 de febrero, un jurado de expertos elegirá el top 10 final de entre las 15 más votadas.

Así que, ¿a qué esperas para votar? ;)

La gran lista
  1. Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]
  2. Abusing HTTP Status Codes to Expose Private Information
  3. Autocomplete..again?!
  4. BEAST
  5. Bypassing Chrome’s Anti-XSS filter
  6. Bypassing Flash’s local-with-filesystem Sandbox
  7. CAPTCHA Hax With TesserCap
  8. CSRF with JSON – leveraging XHR and CORS
  9. CSRF: Flash + 307 redirect = Game Over
  10. Close encounters of the third kind (client-side JavaScript vulnerabilities)
  11. Cookiejacking
  12. Cross domain content extraction with fake captcha
  13. Crowd-sourcing mischief on Google Maps leads customers astray
  14. DNS poisoning via Port Exhaustion
  15. DOMinator – Finding DOMXSS with dynamic taint propagation
  16. Double eval() for DOM based XSS
  17. Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
  18. Excel formula injection in Google Docs
  19. Exploitation of “Self-Only” Cross-Site Scripting in Google Code
  20. Exploiting the unexploitable XSS with clickjacking
  21. Expression Language Injection
  22. Facebook: Memorializing a User
  23. Filejacking: How to make a file server from your browser (with HTML5 of course)
  24. Google Chrome/ChromeOS sandbox side step via owning extensions
  25. HOW TO: Spy on the Webcams of Your Website Visitors
  26. Hidden XSS Attacking the Desktop & Mobile Platforms
  27. How To Own Every User On A Social Networking Site
  28. How to get SQL query contents from SQL injection flaw
  29. How to upload arbitrary file contents cross-domain (2)
  30. JSON-based XSS exploitation
  31. Java Applet Same-Origin Policy Bypass via HTTP Redirect
  32. Kindle Touch (5.0) Jailbreak/Root and SSH
  33. Launch any file path from web page
  34. Lotus Notes Formula Injection
  35. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
  36. NULLs in entities in Firefox
  37. Rapid history extraction through non-destructive cache timing (v8)
  38. Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
  39. SpyTunes: Find out what iTunes music someone else has
  40. Stealth Cookie Stealing (new XSS technique)
  41. Stripping Referrer for fun and profit
  42. SurveyMonkey: IP Spoofing
  43. Temporal Session Race Conditions Video 2
  44. Text-based CAPTCHA Strengths and Weaknesses
  45. The Failure of Noise-Based Non-Continuous Audio Captchas
  46. Timing Attacks on CSS Shaders
  47. Tracking users that block cookies with a HTTP redirect
  48. Using Cross-domain images in WebGL and Chrome 13
  49. XSS in Skype for iOS
  50. XSS-Track as a HTML5 WebSockets traffic sniffer

Las 15 más votadas (actualización 20 de febrero):

  1. Abusing Flash-Proxies for client-side cross-domain HTTP requests
  2. Abusing HTTP Status Codes to Expose Private Information
  3. Autocomplete..again?!
  4. BEAST
  5. Bypassing Chrome’s Anti-XSS filter
  6. CAPTCHA Hax With TesserCap
  7. Cookiejacking
  8. CSRF: Flash + 307 redirect = Game Over
  9. DNS poisoning via Port Exhaustion
  10. DOMinator – Finding DOMXSS with dynamic taint propagation
  11. Expression Language Injection
  12. Java Applet Same-Origin Policy Bypass via HTTP Redirect
  13. JSON-based XSS exploitation
  14. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
  15. Session Puzzling (aka Session Variable Overloading)

El TOP 10 final (actualización 26 de febrero):

  1. BEAST (by: Thai Duong and Juliano Rizzo)
  2. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java (by: Johannes Dahse)
  3. DNS poisoning via Port Exhaustion (by: Roee Hay and Yair Amit)
  4. DOMinator – Finding DOMXSS with dynamic taint propagation (by: Stefano Di Paola)
  5. Abusing Flash-Proxies for client-side cross-domain HTTP requests (by: Martin Johns and Sebastian Lekies)
  6. Expression Language Injection (by: Stefano Di Paola and Arshan Dabirsiaghi)
  7. Java Applet Same-Origin Policy Bypass via HTTP Redirect (by: Neal Poole)
  8. CAPTCHA Hax With TesserCap (by: Gursev Kalra)
  9. Bypassing Chrome’s Anti-XSS filter (by: Nick Nikiforakis)
  10. CSRF: Flash + 307 redirect = Game Over (by: Phillip Purviance)

1 comentarios :