Top Ten Web Hacking Techniques of 2011
Every year the web security community votes on the top web hacking techniques for the past year. The techniques identified are normally innovative, scary and sometimes down right funny and they serve an important purpose for raising awareness of emerging threats and attack methods. This year's survey is now online and I encourage you to vote - http://www.surveymonkey.com/s/TopTenWebHackingTechniques2011.
Top Ten Web Protection Techniques of 2011
While the web application Breaker community certainly hogs up the spotlight, I want to try and take back a bit of that attention and shine it on the Defender community. There are many organizations and individuals whose goals are not to get a big pat on the back for their 3l33t hacking demo at a security conference but instead put forth their efforts to protecting organizations and user from these vary same hacking techniques. So, this year, I am starting a Top Ten Web Protection Techniques of 2011 list.
Next Phase: Open Community Voting
Once we get a good listing of protection candidates, we will then hold a public survey for voting.
Top Ten Web Protection Technique Candidates
I will present a few nominations here to get our entry pool started. If you would like to nominate a web protection technique (either protecting web servers/applications or web browsers), please either comment below the blog post or you can send a Tweet to @ryancbarnett with the hash tag #Top10WebProtect.
- Convergence - Moxie Marlinspike introduced the FireFox Browsesr Plugin that provides an alternative to the SSL CA model
- Content Security Policy (CSP) - Mozilla introduced CSP in FireFox 4 to help prevent XSS attacks
- OWASP CSRFGuard v3.0 - Eric Sheridan updated CSRFGuard which protects Java applications from CSRF attacks
- ModSecurity v2.6 - included many new features including defenses against Slow DoS attacks.
- OWASP Cheat Sheet Series - condensed documentation for quick defensive techniques.
- The DOMinator Project - by Stefano Di Paola is a browser plug-in to help identify DOM-based XSS vulns.
- OWASP Zed Attack Proxy v1.3 - by Psiinon included new features such as regression testing.
- OWASP AppSensor - Application Attack-Awareness code for Java/ESAPI from John Melton.
- OWASP JavaScript Sandboxes - JSReg, HTMLReg and CSSReg by Gareth Heyes.
- Google-Caja - security toolset for security JavaScript by Google Security Team.