Comments on: Submit Your Top Web Hacking Techniques for 2008

By: a tale of a fateful trip « fields of serenity

a tale of a fateful trip « fields of serenity — Wed, 18 Feb 2009 06:35:21 +0000

[...] Submit Your Top Web Hacking Techniques for 2008//GNUcitizen [...]

By: LonerVamp

LonerVamp — Fri, 13 Feb 2009 17:10:58 +0000

Kinda like asking one person or even a team of people to secure everything in a company, you can’t ask one person, team, group of judges, or even a general representation of your traffic/hits to poop out a list of the best things.

There will always be some person or group of another pdp who feels slighted or does not agree with the weighting or feels something was left out of wrongly included. Let alone getting respectful concensus inside the group itself! “Bah, take my name off the list because I disagree!”

I think that’s going to be the nature of something like a list of top hacks or techniques or issues.

By the way, democracy does not always work. I would much rather have a good panel of judges rather than the dirty masses of the public…

The best I hope for in lists like this are as follows:
- eventual consistency (in scope and definitions)
- possible information that I didn’t know before
- opinions from experts on what I should care about in my enterprise

That actual ordering or bragging rights on things like this are not important and will forever be open to debate by everyone.

By: XanthiX

XanthiX — Sat, 07 Feb 2009 00:31:12 +0000

From my personal point of view the top web hacking technique for 2008 is XSS via Adobe Flash which is still active in current version of Adobe Flash pluggin. I have successfully tested XSS keylogger via this attack vector and in my opinion this vector has potential to become very dangerous for the future, if not fixed.

By: pdp

pdp — Mon, 02 Feb 2009 15:18:24 +0000

haha :), ok, ok… I understand that it may look like that but this is definitely not the case :) just trying to improve the way these things are handled in the future. and there is alway room for improvements. I am interested what the judges will come with.

By: Jeremiah

Jeremiah — Mon, 02 Feb 2009 01:29:51 +0000

Is that a subtle way of saying you want on the judges panel? ;) I would have asked you actually, but you were in the running for the top ten. Needed to limit bias. Would have also been the case for the “30-50″ others likely. That’s why no RSnake and a bunch of other researchers.

Had to choose some solid security people with some webappsec background.

By: pdp

pdp — Sun, 01 Feb 2009 22:34:27 +0000

why didn’t you form an internal group/mail list of experts, 30-50 people, to form the list of web hacking techniques and decide between each other which one is the best? that way, the whole thing will be consistent from start.

By: Jeremiah

Jeremiah — Sun, 01 Feb 2009 20:47:13 +0000

There were a couple of factors that went into my decision for this year. And remember, last year I did an open vote system via survey monkey.

1) Ballot stuffing last year was a real problem. My decision had nothing to do with the “security” of a site, but a lot more to do with the amount of workload involved.

2) While we got results last year I felt were representative of the communities vote, myself and several others did not feel it was accurate. At least a couple very powerful attacks were left off the list and should have easily overtaken others.

So for this year I felt it would be better to leave it to a solid panel of experts that could fully investigate the merits of the attacks to come up with a better list. Will it be perfect? No, of course not, impossible to make everyone happy. Will it be better than last year? Yes, that is my hope.

By: pdp

pdp — Sun, 01 Feb 2009 18:26:56 +0000

sometimes security experts are just keen on not taking the risk so that they can have clean names :) although we all know that people make mistakes, regardless how good they are. it is a proven fact.

By: torstein

torstein — Sun, 01 Feb 2009 13:12:50 +0000

If you – of all people – can’t secure a webapp, Jeremiah, how can you expect anyone else to?

(no offence)

By: pdp

pdp — Fri, 30 Jan 2009 09:32:03 +0000

I don't know J :) Saying this is like saying that there is no point of securing Web Application as they will get hacked eventually. I think that it can be done and it can be made secure too. Here is something that wont be easy to trick.

Recaptcha + Email Verification = Vote you should be able to trust!

By: jeremiah

jeremiah — Fri, 30 Jan 2009 00:45:42 +0000

I’d preferred to have an open voting system decide the eventual outcome, if fact, this is what I did the last time. However, when doing this in the midst of a bunch of Web hackers, its a bit easier said than done. :) What if we used a public voting system create a short list and let the judges order the final 10. Or, perhaps the other way around?