Nytro Posted January 19, 2020 Report Posted January 19, 2020 Top 10 web hacking techniques of 2019 Welcome to the community vote for the Top 10 Web Hacking Techniques of 2019. Please review the nominations and rank the 10 entries you think contribute the most to the field. Rank 1 is the highest ranking, and you must rank at least 3. For further information, please refer to last year's results. Entries marked with a * feature multiple independent writeups using a single core technique. Closing time: 27 January 2020 00:00:00 (UTC) Research Infiltrating Corporate Intranet Like NSA: Pre-Auth RCE On Leading SSL VPNs* A Tale of Exploitation in Spreadsheet File Conversions Getting Shell with XAMLX Files Exploiting padding oracles with fixed IVs DoS via Web Cache Poisoning* Exploiting SSRF in AWS Elastic Beanstalk Cached and Confused: Web Cache Deception in the Wild The Cookie Monster in Your Browsers Facebook Messenger server random memory exposure through corrupted GIF Remote Code Execution via Insecure Deserialization in Telerik UI HostSplit: Exploitable Antipatterns in Unicode Normalization Abusing HTTP hop-by-hop request headers HTTP Desync Attacks: Request Smuggling Reborn* Microsoft Edge (Chromium) - Elevation of Privilege to Potential RCE SSRF Protocol Smuggling in Plaintext Credential Handlers : LDAP Reusing Cookies Backchannel Leaks on Strict Content-Security Policy Cross-Site Leaks* Exploiting JNDI Injections in Java XSS in GMail's AMP4Email via DOM Clobbering Security analysis of portal element IIS Application vs. Folder Detection During Blackbox Testing Uploading web.config for Fun and Profit 2 XSS-Auditor — the protector of unprotected and the deceiver of protected Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE! Let's Make Windows Defender Angry: Antivirus can be an oracle! SAML Dupe Key Injection Reverse proxies & Inconsistency Owning The Clout Through Server Side Request Forgery PHP-FPM RCE(CVE-2019-11043) Finding and Exploiting .NET Remoting over HTTP using Deserialisation Exploiting Null Byte Buffer Overflow for a $40,000 bounty DOMPurify 2.0.0 bypass using mutation XSS Abusing autoresponders and email bounces Bypassing SOP Using the Browser Cache Don't open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, ... Exploiting Spring Boot Actuators Exploiting prototype pollution - RCE in Kibana At Home Among Strangers Exploiting Deserialisation in ASP.NET via ViewState ESI Injection Part 2: Abusing specific implementations Get pwned by scanning QR Code All is XSS that comes to the .NET The world of Site Isolation and compromised renderer Common Security Issues in Financially-Oriented Web Applications Google Search XSS Exploring Continuous Integration Services as a Bug Bounty Hunter Apache Solr Injection Research Unveiling vulnerabilities in WebSocket APIs Note: some additional voting data is recorded on submission to prevent fraud. Sursa: https://portswigger.net/polls/top-10-web-hacking-techniques-2019 Quote
