WhiteHat reports The FREAKS are out

Whitehat's top 10 web hacking techniques of 2015 have been released and the freaks have topped the list.

The FREAK attack preys on RSA-Export keys
The FREAK attack preys on RSA-Export keys

FREAK (Factoring Attack on RSA-Export Keys) is the top attack of 2015, according to WhiteHat.

In the company's most recent report, detailing what it deems ‘The Top 10 Web Hacking Techniques of 2015', it brings together judgement from the broad span of the infosec community to nominate the most vexatious attacks of the past year.

Security manager at WhiteHat's Threat Research Center, Johnathan Kuskos, told press, “We created the Top 10 Web Hacks as a way to encourage information sharing within the InfoSec community, help IT professionals stay up-to-date with the recommended fixes and recognise the researchers who contribute excellent work in uncovering vulnerabilities.”

This year, FREAK, a downgrade attack which can be used against RSA_EXPORT cipher suites, took the top spot.

A post on FreakAttack.com explains the risk from this attack: “Servers that accept RSA_EXPORT cipher suites put their users at risk from the FREAK attack. Using internet-wide scanning, we have been performing daily tests of all HTTPS servers at public IP addresses to determine whether they allow this weakened encryption. At the time of discovery, more than a third of all servers with browser-trusted certificates are at risk.”

The attack works on versions of OpenSSL's TLS implementation below 1.0.1k, Apple's Secure Transport and Windows' Schannel TLS Library.

Kuskos told SCMagazineUK.com he thinks FREAK's popularity may come down to simple branding: “Everyone seems to want their bit of publicity these days with branded vulnerabilities, but I don't think that's so terrible. If we didn't know it as FREAK, we'd know it as CVE-2015-0204 which isn't easy to remember for the average person.”

This year's list doesn't differ too much from previous years, adds Kuskos. “The top vulnerabilities of the past years have also been encryption attacks, strangely enough, with the exception of 2013 where it was a new variant of Cross Site Scripting knowns as Mutation XSS, or mXSS. What this shows us is that the InfoSec community as a whole really respects the complexity of encryption research."

Coming in second place was another ‘branded' vulnerability, Logjam. Similar to FREAK, Logjam is a downgrade attack that instead of working on RSA_EXPORT, works on the Diffie-Hellman Key Exchange.

Considering the expense of actually precomputing and then breaking the exchange, up to $100 million, some have speculated that Logjam has been deployed by government agencies, possibly even the NSA.

Publicly reported in May last year, the vulnerability has clearly become one of the most troublesome for security professionals. Several fixes were released over the subsequent months for the Chrome, Internet Explorer, Tor and Firefox browsers.

But what about next year? Possibly DROWN, possibly Glibc, said Kuskos: “Both of those are great candidates, glibc might be an odd one to consider because it's not a web vulnerability, though it can be exploited quite easily remote over the web.  We allowed Shellshock to be a part of the valid submissions for the 2014 report and it's similar in nature.  That being said, it's still early in the year, we have 8 more months for new and exciting hacks to appear and we'll be watching eagerly for them!”

A full rundown of the top 10 can be seen below.

  1. FREAK (Factoring Attack on RSA-Export Keys)
  2. LogJam
  3. Web Timing Attacks Made Practical
  4. Evading All* WAF XSS Filters
  5. Abusing CDN's with SSRF Flash and DNS
  6. IllusoryTLS
  7. Exploiting XXE in File Parsing Functionality
  8. Abusing XLST for Practical Attacks
  9. Magic Hashes
  10. Hunting Asynchronous Vulnerabilities