Top 10 Web Hacking Techniques of 2013

Presented at AppSec USA 2014, Sept. 18, 2014, 3 p.m. (45 minutes)

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges. This year's winners are: 1 - Mario Heiderich - Mutation XSS 2 - Angelo Prado, Neal Harris, Yoel Gluck - BREACH 3 - Pixel Perfect Timing Attacks with HTML5 4 - Lucky 13 Attack 5 - Weaknesses in RC4 6 - Timur Yunusov and Alexey Osipov - XML Out of Band Data Retrieval 7 - Million Browser Botnet 8 - Large Scale Detection of DOM based XSS 9 - Tor Hidden-Service Passive De-Cloaking 10 - HTML5 Hard Disk Filler™ API

Presenters:

• Jonathan Kuskos - Senior Application Security Engineer - WhiteHat Security
  @JohnathanKuskos is a Manager for WhiteHat Security where he is charged with the expansion of their Belfast, Northern Ireland Threat Research Center. After personally hacking hundreds of web applications over several years he moved into a managerial role so that he could contribute to mentoring younger security engineers. Johnathan is extremely passionate about teaching and sharing the security knowledge he's attained. He's also an active bug bounty hunter who has contributed to responsible disclosure for Google, Shopify, Twitter, Mozilla, Netflix, Lastpass, Meraki, Barracuda Networks, Etsy, and United Airlines. Lastly, he's an active CTF participant and tries reaallllyyyyy hard to not get sidetracked when using web apps personally') UNION SELECT '' INTO OUTFILE '/var/www/shell.php';--
• Matt Johansen - Senior Manager - WhiteHat Security
  Matt Johansen is a Sr. Manager for the Threat Research Center at WhiteHat Security where he manages a team of Application Security Specialists, Engineers and Supervisors to prevent website security attacks and protect companies' and their customers' data. Before this he was an Application Security Engineer where he oversaw and assessed more than 35,000 web applications that WhiteHat has under contract for many Fortune 500 companies across a range of technologies.He was previously a security consultant for VerSprite, where he was responsible for performing network and web application penetration tests. Mr. Johansen is also an instructor of Web Application Security at Adelphi University, where he received his Bachelor of Science in Computer Science, and San Jose State University. He has also been utilized by the SANS Institute as an industry expert for certification review.

Links:

• https://owaspappsecusa2014.sched.com/event/Nvwgsv/top-10-web-hacking-techniques-of-2013
• https://www.youtube.com/watch?v=nAUIoPR3wUo

Similar Presentations:

• ToorCon: Seattle (Beta) (2007) / Web 4.0
• Black Hat USA 2012 / HTML5 Top 10 Threats - Stealth Attacks and Silent Exploits
• NolaCon 2017 / Beyond OWASP Top 10