WhiteHat Security的
Jeremiah Grossman总结的2006到2010年的十大黑客技术,有兴趣的朋友可以看看,虽然不是圣经,但是绝对是经典技术。
Top 10 web hacking techniques of 2010
1) 'Padding Oracle' Crypto Attack ( poet , Padbuster , demo , ASP.NET )
Juliano Rizzo ( @julianor ), Thai Duong ( @thaidn )
2) Evercookie
Samy Kamkar ( @samykamkar )
3) Hacking Auto-Complete ( Safari v1 , Safari v2 TabHack , Firefox , Internet Explorer )
Jeremiah Grossman ( @jeremiahg )
4) Attacking HTTPS with Cache Injection ( Bad Memories )
Elie Bursztein ( @ELIE ), Baptiste Gourdin ( @bapt1ste ), Dan Boneh
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan ( @lavakumark )
6) Universal XSS in IE8 ( CVE , White Paper )
Eduardo Vela ( @sirdarckcat ), David Lindsay ( @thornmaker )
7) HTTP POST DoS
Wong Onn Chee, Tom Brennan ( @brennantom )
8) JavaSnoop
Arshan Dabirsiaghi ( @nahsra )
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
Robert "RSnake" Hansen ( @rsnake )
10) Java Applet DNS Rebinding
Stefano Di Paola( @WisecWisec )
Top 10 web hacking techniques of 2009
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger
2. HTTP Parameter Pollution (HPP)
Luca Carettoni, Stefano diPaola
3. Flickr's API Signature Forgery Vulnerability (MD5 extension attack)
Thai Duong and Juliano Rizzo
4. Cross-domain search timing
Chris Evans
5. Slowloris HTTP DoS
Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic - “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)
6. Microsoft IIS 0-Day Vulnerability Parsing Files (semi‐colon bug)
Soroush Dalili
7. Exploiting unexploitable XSS
Stephen Sclafani
8. Our Favorite XSS Filters and how to Attack them
Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)
10. DNS Rebinding (3-part series Persistent Cookies, Scraping & Spamming, and Session Fixation)
Robert Hansen
1. GIFAR
(Billy Rios, Nathan McFeters, Rob Carter, and John Heasman)
2. Breaking Google Gears' Cross-Origin Communication Model
(Yair Amit)
3. Safari Carpet Bomb
(Nitesh Dhanjani)
4. Clickjacking / Videojacking
(Jeremiah Grossman and Robert Hansen)
5. A Different Opera
(Stefano Di Paola)
6. Abusing HTML 5 Structured Client-side Storage
(Alberto Trivero)
7. Cross-domain leaks of site logins via Authenticated CSS
(Chris Evans and Michal Zalewski)
8. Tunneling TCP over HTTP over SQL Injection
(Glenn Wilkinson, Marco Slaviero and Haroon Meer)
9. ActiveX Repurposing
(Haroon Meer)
10. Flash Parameter Injection
(Yuval Baror, Ayal Yogev, and Adi Sharabani)
1. XSS Vulnerabilities in Common Shockwave Flash Files
2. Universal XSS in Adobe’s Acrobat Reader Plugin
3. Firefox’s JAR: Protocol issues
4. Cross-Site Printing (Printer Spamming)
5. Hiding JS in Valid Images
6. Firefoxurl URI Handler Flaw
7. Anti-DNS Pinning ( DNS Rebinding )
8. Google GMail E-mail Hijack Technique
9. PDF XSS Can Compromise Your Machine
10. Port Scan without JavaScript
Top 10 web hacking techniques of 2006
1. Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 "mhtml:" Redirection Information Disclosure
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images)
5.Backdooring Media Files ( QuickTime, Flash, PDF, Images, Word [ 2], and MP3's)
6. Forging HTTP request headers with Flash
7. Exponential XSS
8. Encoding Filter Bypass ( UTF-7 , Variable Width, US-ASCII)
9. Web Worms - ( AdultSpace, MySpace, Xanga)
10. Hacking RSS Feeds