Top ten web attack techniques of 2013

At AppSec USA in Denver, Matt Johansen and Johnathan Kuskos of WhiteHat Security gave a presentation on a project that WhiteHat runs: collecting the top "web hacking techniques" for the year. That list eventually gets whittled down to a "Top Ten", which is what Johansen and Kuskos presented. A companion blog post by Top Ten (and WhiteHat) founder Jeremiah Grossman gives more details as well as linking to the lists going back to the start in 2006.

Johansen and Kuskos are both part of WhiteHat's Threat Research Center. Johansen is a "hacker turned to the dark side of management", but "at least it's not sales", he said with a laugh. He is the head of the center, while Kuskos is an engineer and supervisor there. Kuskos is also the Houston chapter lead for the Open Web Application Security Project (OWASP, which organizes AppSec). Both are, not surprisingly, longtime security researchers as well.

The security community has a big role in creating the list, Johansen said. All of the techniques are suggested by community members during the year from various conference presentations, publications, and other sources. The list is then published early in the year for the community to vote on. This year, there were 31 new techniques listed, which is lower than previous years (56 in 2012, 51 in 2011). The votes are tabulated to choose the top fifteen, which are then ranked by a panel of security experts "based on novelty, impact, and overall pervasiveness". That vote results in the Top ten list. One can already see some of nominees for 2014 posted as comments on Grossman's blog post.

The two breezed through the bottom half of the list, just briefly mentioning each, with little detail. However, the slides [PPT] have links to more information. Number ten was an HTML5 technique to fill the disk of clients by abusing the Web Storage standard. De-cloaking Tor hidden services by passively scanning the internet for outages came in at number nine.

A way to automatically detect DOM-based cross-site scripting vulnerabilities [PDF] was number eight on the list. Grossman and Johansen landed at number seven with their million browser botnet [SlideShare] that used online advertising networks to distribute code that recruited browsers into a JavaScript-based botnet. The number six entry was XML out-of-band data retrieval [PDF] that allows access to files and network resources via a malicious XML file.

They then moved into a more detailed look at the top five. Some weaknesses found in the RC4 cipher were up first. RC4 is one of the more popular algorithms used by TLS. That covers more than just HTTPS as secure IMAP and other protocols also use TLS. The irony is that because of the BEAST attack (winner in 2011) against cipher-block chaining (CBC) mode, RC4 was suggested as a safer alternative. The vulnerability described is "feasible but not practical" Johansen said, because it requires either a lot of handshakes (e.g. a billion) or the exchange of a lot of data (e.g. 16MB) to extract a small amount of plaintext. But, he reminded the audience, attacks against cryptographic algorithms only get better over time.

Number four is another cryptographic attack. Those often dominate the list and have topped it three out of the last five years, but did not do so for 2013, they said. In any case, the Lucky 13 attack goes after CBC-mode encryption in TLS and Datagram TLS (DTLS). There is a flaw in the TLS specification that is exploited, rather than a bug in a specific implementation, which will make it more difficult to fix. Once again, though, it requires lots of data exchange, all on the same LAN to eliminate timing jitter, to recover a fairly small amount of plaintext.

Johansen said that the Black Hat session for pixel perfect timing attacks against HTML5 was "arguably the best Black Hat talk I have ever seen". He strongly suggested watching the video [YouTube] of the talk. The basic idea is to retrieve a user's browsing history by using the JavaScript requestAnimationFrame API to time the rendering of an IFRAME containing a link of interest. Because browsers request the history asynchronously, then repaint any links that have been visited, the difference between visited and unvisited links can be detected using the timing information. If the links have lots of different CSS style options added to them, the difference between rendering them once and rendering them twice becomes significant. In addition, another attack showed using optical character recognition (OCR) techniques to obtain sensitive data from IFRAMEs of other logged-in sites.

Yet another cryptographic attack came in at number two. BREACH is related to the winner for 2012, CRIME, and once again attacks compressed HTTPS traffic. It is an "extremely realistic" attack, Kuskos said, that can extract session identifiers, cross-site request forgery (CSRF) tokens, and other sensitive information from those sessions in as little as 30 seconds. If the attacker can inject data into the stream (from a malicious wireless router, for example), it can measure the size of the response to narrow in on the secrets it is after.

A new cross-site scripting (XSS) technique, known as Mutation XSS is the winner of the best web attacking technique of 2013. It uses the JavaScript innerHTML property, which can set the HTML content of an element bypassing the DOM. It is a shortcut that is widely used, but it has a drawback: innerHTML "fixes" the HTML that gets passed to it. Those fixes can go awry, causing crafted non-XSS strings that are passed to innerHTML to be "helpfully" turned into one that contains an XSS attack.

Johansen and Kuskos wrapped things up by noting that "everything old is new again", as many of the techniques covered are related to earlier attack techniques. On the other hand, some required a lot of "out of the box thinking" (e.g. pixel perfect timing). Encryption attacks are still popular too, which is not really a surprise given the history. They ended with a request for more suggestions for 2014 and a "thanks" to the community as the "list would not exist" without it.