507 stories
·
0 followers

Top 10 Web Hacking Techniques of 2015

1 Share

Edit: We will be updating this post with nominations as they are received and vetted for relevance.  Please email them to Top10Webhacks[/at/]whitehatsec[\dot\]com.


With 2015 coming to a close, the time has come comes for us to pay homage to top tier security researchers from the past year and properly acknowledge all of the hard work that has been given back to the Infosec infosec community. We do this through a nifty yearly process known as The Top 10 Web Hacking Techniques list. Techniques.  Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its tenth ninth  year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent research. Previous Top 10’s Past Top 10s and the number of new attack techniques discovered in each year are as follows: year: 
2006(65), 2007(83), 2008(70), 2009(82), 2010(69), 2011(51), 2012(56), 2013(31), and 2014(46).

The vulnerabilities and hacks that make this list are chosen by the collective insight of the infosec community.  We rely 100% on nominations, either your own or for another researcher, for an entry to make this list! list.

Phase 1: Open community submissions [Jan 11-Jan 22]

Comment this post with your submissions from now until Jan 22nd. 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Jan 23-Feb 1]
Each verified attack technique will be added to a survey which will be linked below on Feb 1st 2. The survey will remain open until Feb 8th. 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end, end all points from all ballots will be tabulated to ascertain the top 15 overall.

Phase 3: Panel of Security Experts Voting [Feb 1-Mar 8]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2015! 2014!

Prizes [to be announced]

The winner of this year’s top 10 will receive a prize!

Current List of 2015 Submissions (in no particular order)
Abusing XSLT for Practical Attacks
Java Deserialization w/ Apache Commons Collections in WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS
– Breaking HTTPS with BGP Hijacking
– Pawn Storm (CVE-2015-7645)
– Bypass Surgery – Abusing CDNs with SSRF Flash and DNS
– Google Drive SSO Phishing
– Dom Flow – Untangling The DOM For More Easy-Juicy Bugs
– Password mining from AWS/Parse Tokens
– Exploiting XXE in File Upload Functionality
– Expansions on FREAK attack
– FileCry – The New Age of XXE
– Server-Side Template Injection: RCE for the Modern Web App
– Understanding and Managing Entropy Usage
– Attack Surface for Project Spartan’s EdgeHTML Rendering Engine
– Web Timing Attacks Made Practical
– Winning the Online Banking War
– New Methods in Automated XSS Detection: Dynamic XSS Testing Without Using Static Payloads
– Practical Timing Attacks using Mathematical Amplification of Time Difference in == Operator
– The old is new, again. CVE20112461 is back!
– illusoryTLS
– Hunting ASynchronous Vulnerabilities
– New Evasions for Web Application Firewalls
– Magic Hashes
– Formaction Scriptless attack updates

We will be updating this post with nominations as they are received and vetted for relevance.

Read the whole story
karlosmid
11 hours ago
reply
Zagreb
Share this story
Delete

Improve remember me cookie expiration in Devise (CVE-2015-8314)

1 Share

A security bug (CVE-2015-8314) has been reported in Devise’s remember me system.

Devise implements the “Remember me” functionality by using cookies. While this functionality works across multiple devices, Devise ended-up generating the same cookie for all devices. Consequently, if a malicious user was able to steal a remember me cookie, the cookie could be used to gain access to the application indefinitely unless the user changed his password (which may not be a frequent event).

Although all Devise versions are vulnerable to this bug, the bug can only be exploited if the attacker can steal cookies in the first place. Regardless, we recommend all users to upgrade to the latest Devise version.

Releases

Devise 3.5.4 has been released with a fix. This release adds a timestamp to the cookie, guaranteeing cookies can be expired on a case-by-case basis instead of an all or nothing approach.

We also have made a patch available for those running on older versions.

Acknowledgements

We want to thank Alfredo Ramirez (bonds0097@gmail.com) from VSR for reporting the issue and working with us on a fix.

Read the whole story
karlosmid
12 hours ago
reply
Zagreb
Share this story
Delete

Recapping STAR West 2017

1 Share

STAR WEST 2017 Recap

After attending the STAR West 2017 conference this year, I wanted to take a little time to share some of my thoughts, takeaways and inspirations from the conference.

STAR West is a pretty large conference and it felt big, lots of people, lots of vendors and lots of sessions. Here are some of my thoughts and favorite moments of the conference.

Rise of the Machines: Can Artificial Intelligence Terminate Manual Testing?

When I sat down and got ready for the opening keynote I wasn’t sure what to expect. Machine Learning and AI in the software and testing worlds are major buzz words right now, so I wasn’t surprised to see them at the forefront of the conference. Largely uninformed and entirely skeptical I have been dismissing machine learning completely so I admit I cringe when I see talks about it and expect hype, fear and smoke and mirrors.

So when Tariq King hit the stage I was skeptical, however he opened with this montage of pretty much every sci-fi movie representation of artificial intelligence there is all nicely edited amd mixed with music. It was slick and polished, I sat thinking this is the big leagues of keynote speaking.

Tariq also brought forth a challenge to push testing forward through innovation. To paraphrase he stated that testing as an industry has in many ways been falling behind, he even has #bringbacktesting. This really resonated with me, ironically for some of the same reasons I resisted machine learning. It’s just the latest thing that will be the death to testers.

What I particularly appreciated from the keynote was the recognition that there are differences between machines and humans and they each have benefits. This reconciles quite nicely with my views on automated testing.

Highlights

This was one of the most polished keynotes I’ve seen, I left with very high expectations for the rest of the conference.

Make Your Team Awesome—Yes, You Can!

I was very excited to get to hear Maaret Pyhäjärvi give the closing keynote. It was great, I’m not sure it was recorded but I would love to watch it a few more times just because there was so much good information and I could do a more in depth post on it. Maaret wove topics and her experiences at the conference into her keynote, so it felt fresh and authentic. I got swept up in just listening and couldn’t take notes like I did with other talks. As the talk progressed there were a few times where the message was so clear and insightful I thought it Maaret was going to drop the mic and walk off stage, but the good stuff kept coming.

If I sound like a fan, I am but I cant tell you how many other people I heard on the way out of the conference talking about just how great this keynote was.

Highlights

There were so many more…

AI For Test Automation

This session was a result of another speaker cancelling and Jason Arbon of AppDiff stepping up to fill in. I am so glad of that cancellation. As I mentioned earlier, I gave very little credence to AI and machine learning going in to this conference but I left this session extremely interested in machine learning. Jason was able to demonstrate some generic automated test cases working on applications that his bots had never seen before. While he was showing his teams work, this talk was by no means a vendor session. He was quick to explain how little actual code it takes to wire up a neural net, the real work is in training it. It was fascinating and his passion for the subject matter really shone thru. He also shared the site test.ai where I believe they will be making some of their supporting libraries so teams can try building their own neural nets for testing applications. I can’t wait to check it out.

Highlights

Get Involved Early: A Tester’s Experience with Requirements

I really enjoyed this experience report by Julie Lebo. Good requirements have been a challenge on many projects I have worked on. Her journey as a solo tester was really informative, she discussed going back to school to get her masters degree in computer science. I am interested in computer science but I have read mixed things about the value of masters level computer science considering it can often be very theoretical in nature. It was great to hear a tester talk about her thesis and the value it brought her as a tester.

Highlights

Testing and DevOps: Organizations and Their Culture Must Change

The bar was set pretty high for the second keynote on day 1, but it was a very different type of talk. It felt like a successful experience report of a teams transition to DevOps. There was a nice focus on the need of philosophical changes for teams to transition to newer ways of doing things, focusing on DevOps being a extension of an Agile transition.

There some good stuff:
– including regression testing into current sprints instead of a release / hardening sprint
– enable testers involvement early and in a manufacturing sense allow them to Halt the line.
– include automation early as a collaborative effort to increase alignment
– the importance of test data

Unfortunately when time came to discuss how testers roles change in DevOps, the talk fell to the very expected topic of increasing technical skills of testers. It’s not that I don’t understand or recognize this shift, but I think testers have heard this before. I would have like to see more depth and insight here, there are some very highly functioning Agile / DevOps teams that value exploratory testers. I think the audience would have benefitted from hearing how those teams have changed.

Highlights

Technical Track Sessions

Technical session can be tough, its tough to balance because the skill levels of the audience can be so broad. If any spike my interest I usually pick a backup session so I can walk out if I don’t feel like I am getting anything out of the session. Happily though I didn’t need any exit strategy for either of the technical sessions I attended.

Testing RESTful Webservices

Hillary Weaver Robb gave a nice overview testing web services with both tools and code. This is an area I work on quite a bit day to day but its nice to see how other people are doing things and see if there are things we could be doing better, etc. It was good stuff, and being in the crowd I could tell people we getting stuff they could take home to their teams.

Star West has this idea of Speaker Lunches where attendees can sit at certain speakers tables, it was a nice touch and I got a chance to chat with Hillary. She runs the Ministry of Testing group in Detroit and she totally hooked me up with a pin.

Say Goodbye to Flaky Selenium Tests

I wasn’t sure about choosing this session, but I have a project coming up where I plan on using Appium and figured I’d give it a try. My current team doesn’t have a dedicated and separate automation group, so it was interesting to see more enterprise approach to building out automation. It worked out well though, Craig Schwarzwald gave solid advice and what is basically a necessity for an enterprise groups supporting other teams really results in a solid and maintainable framework. I’m glad I stayed and I have things I can directly apply and also felt validated in some of my decisions, mostly around not allowing selenium implementation details to creep into actual test code.

Impressions

It was a good conference and I am glad I got to go, being held at DisneyLand was a nice touch as well.

A couple time slots I found it hard to find any sessions I found interesting and it wasn’t always clear when or if there was time for Q&A during talks. I really thought the lunch with speakers idea was a real benefit for the attendees.

Unfortunately I missed Paul Merrill’s talk on machine learning which I heard was very good. I’m hoping I can catch it through one of the webinars he hosts.

This happened, plus it was a great lunch conversation.

Read the whole story
karlosmid
13 hours ago
reply
Zagreb
Share this story
Delete

Hacker News Vulnerable to CSRF

1 Share
Comments
Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete

What I learned from suffering my first and last xss attack

1 Share
Comments
Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete

OpenSSL CVE-2016-0799: heap corruption via BIO_printf

1 Share
Comments
Read the whole story
karlosmid
1 day ago
reply
Zagreb
Share this story
Delete
Next Page of Stories