Every year, WhiteHat Security coordinates the development of the Top 10 Web Hacking Techniques list. Now in its tenth year, this year’s list was compiled from 39 submissions discovered during the year and published via papers, blogs or articles, or presented at conferences. The annual Black Hat conference in Las Vegas, an important venue for showcasing the latest techniques, contributed three of the top 10 for 2015. From the 39 submissions, members of the security research community then voted to whittle the list down to 10.
It’s important for IT professionals to be aware of the latest hacking techniques so they can gain an understanding of how attacks happen, the severity of each issue encountered and how wide the effect of each technique could be.
For 2015, the top 10 list is as follows:
- FREAK (Factoring Attack on RSA-Export Keys)
- LogJam
- Web timing attacks made practical
- Evading All* WAF XSS filters
- Abusing CDNs with SSRF Flash and DNS
- IllusoryTLS
- Exploiting XXE in file parsing functionality
- Abusing XLST for practical attacks
- Magic hashes
- Hunting asynchronous vulnerabilities
The top three hacking techniques in the list show that SSL/TLS remains one of the key targets causing vulnerabilities that affect HTTPs and other services relying on SSL or TLS cryptographic protocols to secure websites, emails and other communications. These three techniques all work to weaken encryption systems in order to enable the attacker to gain access to potentially sensitive information by intercepting communications or impersonating a secure website.
According to WhiteHat, the techniques in the top 10 list highlight that fact that it’s web hacks that are making the headlines, as hackers realize they can gain much more by hacking web- or cloud-based properties wholesale, rather than looking for files related to specific individuals.
To counter these hacking techniques, it’s essential that IT personnel deploy platforms and develop software with security in mind right from the design phase. WhiteHat states that a feature seen throughout this year’s list is the continued reliance on legacy code, making it essential that engineering teams look closely at weaknesses in coding and building defenses where flaws are discovered. Organizations should ensure that they are only using applications that not only have been built with security in mind, but that have been thoroughly tested throughout the development life cycle to weed out vulnerabilities.
Find out why Samsung Knox, the defense-grade mobile security platform built into the latest Galaxy mobile devices, earned the most “Strong” ratings of any mobile platform in a recent Gartner mobile security report.