Monday, January 10, 2011

Final Fifteen - Web Hacking Techniques

Open community voting completed last week. From the ~67 Web hacking techniques, we’ve gotten down to the final fifteen (see below). Congratulations to all the researchers whose work made it. Also, thank you very much to all those who took the time to complete the survey. There were a total of 74 respondents, 63% of which were“Breakers” and the other 37% “Builders.” Good representation.

Now it’s time for the final phase where our panel of security experts vote on the list (same position point system) to determine the Top Ten Web Hacking Techniques of 2010. All those on the panel have substantial industry technical experience, domain knowledge in application security, and do not have entries on the list.

This year we’re very pleased to have:
Ed Skoudis (InGuardians Founder & Senior Security Consultant)
Giorgio Maone (Author of NoScript)
Caleb Sima (CEO, Armorize)
Chris Wysopal (Veracode Co-Founder & CTO)
Jeff Willams (OWASP Chairman & CEO, Aspect Security)
Charlie Miller (Consultant, Independent Security Evaluators)
Dan Kaminsky (Director of Pen-Testing, IOActive)
Steven Christey (Mitre)
Arian Evans (VP of Operations, WhiteHat Security)


Final Fifteen

6 comments:

Anonymous said...

Link to Universal XSS in IE8 is broken

Jeremiah Grossman said...

@anonymous it was working yesterday, for some reason they removed the files with no pointer. tried contacting the authors, but they haven't responded. any other working references would be much appreciated.

Jim Manico said...

Jeremiah, here is the CVE link for universal XSS in IE.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1489

Nice work, I enjoyed this post and research.

Jim Manico said...

Here is a better link for the Universal XSS ie8 technique: the google cache version of the original research.

I had to shorten it since blogger was rejecting some of the characters in the original URL.

http://bit.ly/fmSNzA

Jeremiah Grossman said...

@Jim, thanks for the help!

Jeremiah Grossman said...

The link for 'Universal XSS in IE8' is back in action!