This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
81. Thank you to…
• All Web security researchers
• Panel of Judges: Ryan Barnett, Robert Auger, Robert Hansen (CEO, Falling Rock
Networks) Dinis Cruz, Jeff Williams (CEO, Aspect Security), Peleus Uhley, Romain
Gaucher (Lead Researcher, Coverity), Giorgio Maone, Chris Wysopal, Troy
Hunt, Ivan Ristic (Director of Engineering, Qualys), and Steve Christey (MITRE)
• Everyone in the Web security community who assisted with voting
JEREMIAH GROSSMAN MATT JOHANSEN
Founder and CTO Head of the Threat Research Center
Twitter: @jeremiahg Twitter: @mattjay
Email: jeremiah@whitehatsec.com Email: matt@whitehatsec.com
Editor's Notes
According to the provided scenario, the exploit will not work if the victim has already accessed the login.php page. This is not always the case. For example, many web applications have a logout page whose job is to clear session data and to issue either new session cookie or empty session session cookie such as PHPSESSID=deleted. Here, our XSS payload will call this logout page first and then call the login page which issues HttpOnly session cookie.