Top 10 Web Hacking Techniques For 2015
The most influential research on vulnerabilities and exploits, as voted on by the security community.
April 27, 2016
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7c83abe4eebee69b/64f0db4244491bcda8abe300/01-top10.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Now in its tenth year running, the Top 10 List of Web Hacking Techniques for 2015 gave the security community the chance to vote on the most influential research on vulnerabilities, exploits and hacking techniques across all of last year. Coordinated by WhiteHat Security, the list is voted on by the security community at large, based on a range of talks, research papers and high-impact vulnerability announcements.
“Every year, the security community produces a stunning number of new techniques that are published in various white papers, blog posts, articles and conference presentations,” said Johnathan Kuskos, manager of WhiteHat's research team. “Within these thousands of pages are the newest, most creative ways to attack websites, browsers and their mobile equivalents. We created the Top 10 Web Hacks as a way to encourage information sharing within the InfoSec community, help IT professionals stay up-to-date with the recommended fixes and recognize the researchers who contribute excellent work in uncovering vulnerabilities.”
SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption.
Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team
Further details on the research: https://freakattack.com
Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.
Researchers: Timothy Morgan and Jason Morgan
Research that shows how it is possible to evade cross-site scripting filters of all popular web-application firewalls.
Researcher: Mazin Ahmed
Additional information: http://blog.mazinahmed.net/2015/09/evading-all-web-application-firewalls.html
An attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor.
Researcher: Alfonso De Gregorio
Additional information: http://www.illusorytls.com
A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.
Researcher: Will Vandevanter
Research and proof-of-concept attacks highlighted at Black Hat that show how XSLT can be leveraged to undermine the integrity and confidentiality of user information.
Researcher: Fernando Arnaboldi
Looks into a weakness in the way PHP handles hashed strings in certain instances to make it possible to compromise authentication systems and other functions that use hash comparisons in PHP.
Researchers: Robert Hansen and Jeremi M. Gosney
Additional information: https://www.whitehatsec.com/blog/magic-hashes/
Research presented at 44CON delves into how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.
Researcher: James Kettle
Research presented at 44CON delves into how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.
Researcher: James Kettle
Now in its tenth year running, the Top 10 List of Web Hacking Techniques for 2015 gave the security community the chance to vote on the most influential research on vulnerabilities, exploits and hacking techniques across all of last year. Coordinated by WhiteHat Security, the list is voted on by the security community at large, based on a range of talks, research papers and high-impact vulnerability announcements.
“Every year, the security community produces a stunning number of new techniques that are published in various white papers, blog posts, articles and conference presentations,” said Johnathan Kuskos, manager of WhiteHat's research team. “Within these thousands of pages are the newest, most creative ways to attack websites, browsers and their mobile equivalents. We created the Top 10 Web Hacks as a way to encourage information sharing within the InfoSec community, help IT professionals stay up-to-date with the recommended fixes and recognize the researchers who contribute excellent work in uncovering vulnerabilities.”
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024