Cigital

Top Ten Web Hacking Techniques of 2009

Posted On January 14, 2010 by justiceadmin

This is a guest post by Cigital consultant Romain Gaucher.

Every year since 2006, Jeremiah Grossman has organized a contest to recognize the Top Ten Hacking Techniques of the year. This year, I had the privilege of being one of the security professionals asked to judge along with Rich Mogull, Dinis Cruz, Chris Hoff, HD Moore, Billy Rios, Dan Kaminsky, Steven Christey, Jeff Forristal, and Michal Zalewski.

The scoring process was intentionally simple: given the list of 82 hacking techniques or selected exploits, we each nominated our top 15, in order. Appearing in a judge’s number one position would score the technique 15 points. Being ranked as a judge’s number two scored 14 points and so on. The techniques which received the most total points from all judges became the top ten.

Judges were given broad latitude in making their selections, but candidate techniques were judged primarily on pervasiveness, impact, novelty and coolness. I know a few judges who used a more formal evaluation methodologies than I did, rating each candidate individually and then sorting them. I didn’t.

Since I was already familiar with many of the candidate techniques listed, I didn’t have to go through them again and I was able to focus on the techniques I didn’t have time to follow or to dive into during the year.

After a few hours, I had a reasonable knowledge about of all the candidates. In order to get a more manageable list of candidates, I decided to do a first pass and create a list of techniques that I believed must be in a top 15. I came up with a list of about 30 finalists.
With this smaller list, I went back to the papers and blog posts to rate the techniques. I decided to combine some of the factors that Jeremiah sent us to simplify my evaluation and because I thought it suited correctly the goal of this contest. I used the Risk and the Originality of the techniques to rate them:

• Risk: pervasiveness and impact
• Originality: novelty and coolness

I considered those two factors to have the same weight. Even if in my daily job the risk represents the most important part of the evaluation, for the contest, the originality is a very important part.

The list of top ten winners can be found in Jeremiah’s blog post. Some of the candidate techniques were de facto winners because they would have such an impact and coolness. This is especially true for the research from Alexander Sotirov et al. on the Rogue CA certificate: totally elite. I’m sure most of the readers will remember the buzz of this attack last year at the 25c3 (Chaos Communication Congress). They started by teasing everyone and then, explained how, with a cluster of 200 PlayStation3, they were able to create a rogue certificate: way to go for a perfect man-in-the-middle or phishing attack!

With a different scoring vector (lower originality, but higher risk due to high likelihood than #1), we have our number two, the research from Luca Carettoni and Stefano Di Paola which is a the newly-named HTTP parameter pollution (HPP). This attack exploits HTTP request parameters (query string, POST variables, etc.) parsing discrepancies between different layers of the application (input/output handling, encoding issues) or server-side application stack (front-end/back-end, WAF, etc.). Even if this attack doesn’t look über-cool, it can facilitate a lot other type of injection-based attacks (XSS, SQLi, etc.) by, for example, hiding the payload from one of the defense layer (WAF for example).

I am a bit disappointed not to see any PDF related attacks in the final list (yes, it was in my top 15), because it was such a big deal in 2009. Most of those attacks come from the JavaScript support. For example, the PDF Silent HTTP Form Repurposing Attacks paper explains how an attacker can create a malicious PDF file executing JavaScript in the same domain. This is a great follow-on work to what Didier Stevens and others did on the PDF format. Some others techniques from my list didn’t make the final top ten such as the Socket Capable Browser Plugins Results in Transparent Proxy Abuse from Robert Auger. I find them both very interesting in reflecting discrepancies between server-side application stack and new client-side attack surfaces.

But anyway, this was a great year with many different attacks, some new, some really elite, others are improvements of already known techniques. Attacks are targeting different flavors of web security: cryptography, protocol design and abuse and software misbehavior. Research into techniques like these allows us to better understand the security problems we face right now and catalyzes joint work between vendors and the security community.

Finally, I’d like to congratulate my Cigital colleague, David Lindsay who, along with Eduardo Vela, came in at number 8 with cross-site scripting research that yielded surprising and sophisticated ways to evade filters and web application firewall (WAF) rules.