Top web hacking techniques of 2015

Here are the top 10 hacking techniques discovered in 2015

Yesterday we brought out the list of top 6 password cracking techniques used by hackers and cyber criminals. In continuation of the same series we today bring out the 10 top hacking techniques used by hackers in 2015.

Hacking

Hacking was a term that originated in 1990s and is associated with the unauthorized use of computer and network resources. By definition, hacking is the practice of altering the features of a system, to accomplish a goal which is not in scope of the purpose of its creation.

Hacking is more commonly used in context of “Computer Hacking” where threat is posed to security of the computer and other resources. In addition, hacking has few other forms which are less known and talked about .e.g. brain hacking, phone hacking etc.

Hacker” was a term used to denote a skilled programmer who had competency in machine code and operating systems. Such individuals were proficient in solving unsatisfactory problems and often interpreted competitors’ code to work as intelligence agents for small software companies.

There are three types of hackers, white hat or ethical hackers, grey hat hackers and black hat hackers. You can read about the different types of hackers here. We dont usually have to worry about ethical hackers but need to keep an out for the grey hat and black hat hackers who are usually cyber criminals.

In 2015, there were a dozen big time vulnerabilities discovered by researchers. However, a few of those were actually exploited in the wild.

Here are the top 10 hacking techniques discovered in 2015 :

#1 FREAK Attack

Freak attack is a SSL/TLS Vulnerability that would allow attackers to intercept HTTPS connections and force them to use weakened encryption. The vulnerability was first reported in May, 2015 and can be read here.

Researchers: Karthikeyan Bhargavan at INRIA in Paris and the miTLS team. You can get further details about Freak attack research here.

#2 LOGJAM vulnerability

Logjam vulnerability was discovered in October, 2015. It was another TLS vulnerability that allows man-in-the-middle attacks by downgrading vulnerable TLS connections to 512-bit encryption.

A researcher team of David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann discovered this vulnerability and you can read additional information about it here.

#3 Web Timing Attacks

Web Timing attacks have been revealed many years back but this is the first time that researchers showed how it can be executed. Black Hat talk on how to tweak timing side-channel attacks to make it easier to perform remote timing attacks against modern web apps.

The lead researchers of web timing attack are Timothy Morgan and Jason Morgan.

#4 Evading All* WAF XSS Filters

Security researcher Mazin Ahmed discovered that it is  it is possible to evade cross-site scripting filters of all popular web-application firewalls. Once exploited the hackers can do pretty much anything they want.

The research paper can be read here.

#5 Abusing CDN’s with SSRF Flash and DNS

Now a days almost all big websites use content delivery networks (CDN). Research highlighted at Black Hat looking at a collection of attack patterns that can be used against content delivery networks to target a wide range of high availability websites.

The two Researchers, Mike Brooks and Matt Bryant discovered this hacking technique.

#6 IllusoryTLS

IllusoryTL is an attack pattern that can wreck the security assurances of X.509 PKI security architecture by employing CA certificates that include a secretly embedded backdoor. The vulnerability was discovered by a security researcher, Alfonso De Gregorio.

You can get additional information about illusorytls here.

#7 Exploiting XXE in File Parsing Functionality

Cyber criminals can exploit the XXE in file parsing functionality. A Black Hat talk examining methods in exploiting XML Entity vulnerabilities in file parsing/upload functionality for XML-supported file formats such as DOCX, XSLX and PDF.

https://www.youtube.com/watch?v=ouBwRZJHmmo

The security researcher who discovered this vulnerability was Will Vandevanter.

#8 Abusing XLST

The vulnerability in XLST was known for a long time but security researcher Fernando Arnaboldi demonstrated it for the first time at the Black Hat conference.

https://www.youtube.com/watch?v=bUcd-yibTCE

Research and proof-of-concept attacks highlighted at Black Hat that show how XSLT can be leveraged to undermine the integrity and confidentiality of user information.

#9 Magic Hashes

Security researchers, Robert Hansen and Jeremi M. Gosney discovered a vulnerability in the way PHP handles hash comparisons.

Looks into a weakness in the way PHP handles hashed strings in certain instances to make it possible to compromise authentication systems and other functions that use hash comparisons in PHP.

You can get further information about magic hashes here.

#10 Asynchronous Vulnerabilities

Security researcher James Kettle presented a research at 44CON delves which explains how to use exploit-induced callback methods to find vulnerabilities hiding in backend functions and background threads.

Also read: Here is how you can learn hacking in 3 steps

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Read More

Suggested Post