Jeremiah Grossman & co’s “Top Web Hacking Techniques of 2008” have been released. Go check’m out, update your own techniques, and add anything they might have missed (I can’t think of any…).
Some of my favorites:
- GIFARS – These files could be uploaded to sites that allow image uploading (such as many site’s member photos), to run code in the context of that site – getting around the “same origin policy” that browsers impose. Handy for spl0iting forums
- SQL Column Truncation – Interesting technique that j0e brought to my attention. Good for spl0iting your friendly neighborhood mysql app.
- Cross-Environment Hopping – to be honest, i haven’t read the whole post here, but i think i’ve always wanted to cross-hop someone. sue me. (this is a REALLY nice explanation of current same-origin issues & how to utilize different IE / Firefox components to take advantage of variations in implementation, for what it’s worth).
Note to self: Don’t spend 45 mins trying to figure out how to unlink a word in ScribeFire. Entire linked paragraphs are /okay/ if it’s going to destroy your productivity (and your non-existent social life).