We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,814 News Articles

Top 10 web hacking techniques of 2010 revealed

Biggest attack goes after Microsoft's ASP.NET Web framework

We look at the 10 worst web hacking techniques that appeared during 2010 to cause havoc.

A web hack that can endanger online banking transactions has been named the worst new web hacking technique that appeared in 2010 in a top 10 list selected by a panel of experts and open voting.

Called the Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft's web framework ASP.NET protects AES encryption cookies.

If encryption data in the cookie has been changed, the way ASP.NET handles it results in the application leaking some information about how to decrypt the traffic. With enough repeated changes and leaked information, the hacker can deduce which possible bytes can be eliminated from the encryption key. That reduces the number of unknown bytes to a small enough number to be guessed.

The developers of the hack - Juliano Rizzo and Thai Duong - have developed a tool for executing the hack.

Padding Oracle was voted number one by a voting process that included Ed Skoudis, founder of InGuardians; Girogio Maone, the author of NoScript; Armorize CEO Caleb Sima; Veracode CTO Chris Wysopal; OWASP Chairman and CEO Jeff Williams; security consultant Charlie Miller of Independent Security Evaluators; IOActive director of penetration testing Dan Kaminsky; Steven Christey of Mitre; and White Hat Security vice president of operations Arian Evans.

The ranking was sponsored by Black Hat, OWASP and White Hat Security, and details of the hacks will be the subject of a presentation at the IT-Defence 2011 conference next month in Germany.

Here are the rest of the top 10 web hacks voted in the competition

2. Evercookie

This enables a Java script to create cookies that hide in eight different places within a browser, making it difficult to scrub them. Evercookie enables the hacker to identify the machine even if traditional cookies have been removed. (Created by Samy Kamkar.)

3. Hacking Autocomplete

If the feature in certain browsers that automatically completes forms on websites (autocomplete) is turned on, script on a malicious website can force the browser to fill in personal data by tapping various data stored on the victim's computer. (Created by Jeremiah Grossman.)

NEXT PAGE: Attacking HTTPS

  1. Microsoft's ASP.NET web framework in the firing lines
  2. Attacking HTTPS


IDG UK Sites

The 30 best TV shows on Netflix UK: Our pick of the best programmes you can watch right now

IDG UK Sites

Nostalgia time: Top 10 best selling mobile phones in history

IDG UK Sites

VFX Emmy: Game of Thrones work garners gong for Rodeo FX

IDG UK Sites

Apple 13-inch MacBook Pro with Retina review (2.6GHz, 128GB, mid-2014)