Final Fifteen - Web Hacking Techniques
Open community voting completed last week. From the ~67 Web hacking techniques, we�ve gotten down to the final fifteen (see below). Congratulations to all the researchers whose work made it. Also, thank you very much to all those who took the time to complete the survey. There were a total of 74 respondents, 63% of which were�Breakers� and the other 37% �Builders.� Good representation.
Now it�s time for the final phase where our panel of security experts vote on the list (same position point system) to determine the Top Ten Web Hacking Techniques of 2010. All those on the panel have substantial industry technical experience, domain knowledge in application security, and do not have entries on the list.
This year we�re very pleased to have:
Ed Skoudis (InGuardians Founder & Senior Security Consultant)
Giorgio Maone (Author of NoScript)
Caleb Sima (CEO, Armorize)
Chris Wysopal (Veracode Co-Founder & CTO)
Jeff Willams (OWASP Chairman & CEO, Aspect Security)
Charlie Miller (Consultant, Independent Security Evaluators)
Dan Kaminsky (Director of Pen-Testing, IOActive)
Steven Christey (Mitre)
Arian Evans (VP of Operations, WhiteHat Security)
Final Fifteen
- A Twitter DomXss, a wrong fix and something more
- Attacking HTTPS with Cache Injection
- Breaking into a WPA network with a webpage
- Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
- CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
- Cross Site URL Hijacking by using Error Object in Mozilla Firefox
- Evercookie
- HTTP POST DoS
- Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
- Java Applet DNS Rebinding
- JavaSnoop
- NAT Pinning: Penetrating routers and firewalls from a web page
- Next Generation Clickjacking
- 'Padding Oracle' Crypto Attack (poet, Padbuster, demo, ASP.NET)
- Universal XSS in IE8 (CVE, White Paper)
