4/21/2011 08:00:00 AM
K.D
A Web hack that can endanger online
banking transactions is ranked the No. 1 new Web hacking technique
for 2010 in a top 10 list selected by a panel of experts and open voting.
Called the 1)Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft's Web framework ASP.NET
protects AES encryption cookies.
If encryption data in the cookie has
been changed, the way ASP.NET handles it results in the application leaking
some information about how to decrypt the traffic. With enough repeated changes
and leaked information, the hacker can deduce which possible bytes can be
eliminated from the encryption key. That reduces the number of unknown bytes to
a small enough number to be guessed.
2. Evercookie -- This enables a Java script to create cookies that hide in
eight different places within a browser, making it difficult to scrub them. Evercookie enables the hacker to identify
the machine even if traditional cookies have been removed. (Created by Samy
Kamkar.)
3. Hacking Autocomplete -- If the feature in certain browsers that
automatically completes forms on Web sites (autocomplete) is turned on, script
on a malicious Web site can force the
browser to fill in personal data by tapping various data stored on
the victim's computer. (Created by Jeremiah Grossman.)
4. Attacking HTTPS with Cache Injection -- Injection of malicious
Java script libraries into a browser cache enables attackers to compromise Web
sites protected by SSL. This will work until the cache is cleared. Nearly half
the top 1 million Web sites use external Java script libraries. (Crated by Elie
Bursztein, Baptiste Gourdin and Dan Boneh.)
5. Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
-- Gets around cross site request forgery defenses and tricks
victims into revealing their e-mail IDs. Using these, the attackers
can reset the victim's passwords and gain access to their accounts. (Created by
Lavakumar Kuppan.)
6. Universal XSS in IE8 -- Internet Explorer 8 has cross-site scripting
protections that this exploit
can circumvent and allow Web pages to be rendered improperly in a potentially
malicious manner.
7. HTTP POST DoS -- HTTP POST headers are
sent to servers to let them know how much data is being sent, then
the data is sent very slowly, eating up the servers' resources. When many of
these are sent simultaneously, the servers are overwhelmed. (Created by Wong
Onn Chee and Tom Brennan.)
8. JavaSnoop -- A Java agent attached to the target machine communicates
with the JavaSnoop tool to test applications
on the machine for security weaknesses. This could be a security tool or a hacking tool,
depending on the user's mindset. (Created by Arshan Dabirsiagh.)
9. CSS History Hack in Firefox without JavaScript for Intranet Port Scanning
-- Cascading style sheets, used to define the presentation of HTML, can be used
to grab browser
histories as victims visit Web sites. The history information can be
used to set the victim up for phishing attacks. (Created by Robert
"RSnake" Hansen.)
10. Java Applet DNS Rebinding -- A pair of Java applets direct a browser to
a pair of attacker controlled Web sites, forcing the browser to bypass its DNS
cache and so make it susceptible to an NDS rebinding attack.
(Created by Stefano Di Paola.)
Posted in: Hacking,Hacking Tools,Security
.png)
0 comments:
Post a Comment