Web 2.0 Expo: Top ten Web hacking techniques
A large portion of the Web 2.0 Expo attendees are focused on content. They want to create better, more engaging content for social media programs and Web engagement with their customers. But the Web and application developers behind this content need to know how to secure it. This is what Jeremiah Grossman, CTO and founder of WhiteHat Security, discussed today during his presentation, "The Web Just Got A Little More Dangerous."
"I say a little more dangerous because the Web was already broken," he said.
Grossman stressed that the more we rely on the Web, the more attractive the Web becomes as an attack vector. Companies need to be concerned both about data security and potential brand damage when it comes to Web security. He shared with the audience a top ten -- or most dangerous -- list of Web hacking techniques from 2008 of which developers especially should be aware:
10. Flash Parameter Injection - Using cross-site scripting, this can grant the attacker full control over the page, as well as control over other objects within the movie. Best defense, when you're developing flash applications be sure to sanitize user input according to context before its reflected back to the user.
9. ActiveX Repurposing - Multi-staged attack to get code execution on victims who were running a vulnerable and popular SSL-VPN attack. Defenses are making sure ActiveX makes use of Sitelock wherever possible and restrict Active X to the maximum degree possible.
8. Tunneling TCP over HTTP over SQL-injection - The best defense against this kind of attack is a good network architecture, solid application design and database hardening.
7. Cross-domain leaks of site logins via authenticated CSS - Checks the contents of a stylesheet property across domains to determine whether the victim is logged in to a given Web site. Do not store anything user-sensitive in a CSS style sheet. It won't prevent the bad guy from knowing the user uses your site, but it will prevent them for knowing if they are logged in.
6. Abusing HTML 5 structured client-side storage. Attackers could steal or modify sensitive data online or offline. If a Web app uses this kind of client-side storage is vulnerable to attacks. Avoid saving sensitive data on the users machine and clear the client-side storage whenever possible; regularly check the content of the HTML5 client-side storage.
5. A different Opera - Exploit an XSS in Opera, however, upgrading to Opera 9.62 versions and up should take care of the problem.
4. Clickjacking / videojacking - An attacker can invisibly hover buttons, images or links below a user's mouse so that when a user clicks on what they think is a trusted button or link, but they are actually executing an embedded code . Without the user knowing, it can even capture pictures and video, and even audio. Clickjacking enables corporate espionage, government surveillance, home user spying, etc. Upgrading to Adobe Flash 10 can help. Also, frame-busting code to make sure any pages you deem important are not as susceptible for clickjacking. Internet Explorer 8 also has some anti-clickjacking functionality.
3. Safari carpet bomb - Allows an attacker to litter a Windows' user's desktop or a Mac users' desktop with arbitrary files and malware. Windows users should download the latest ersion of Safari.
2. Breaking google gears' cross-origin communication model - The cross-origin comm model could be bypassed so an attacker could gain access to sensitive resources of the victim in other Web sites (even those that do not use Google Gears). Update Google Gears to minimize risk.
1. GIFAR - Content ownership issue. The attacker combines a GIF image file and a Java archive (JAR) that contains class files for a Java Applet. A Web application will then allow the upload the image to a server, but the malicious applet code can be executed. To protect against this do not accept file uploads. Or, upload you get convert it to another image no matter what (Facebook does a good job with this). For an end user, disable the third-party browser extensions and install the latest JVM and remove older versions.