Um blog está a recolher informações sobre ataques web que ocorreram em 2011, começou por ser top 10 mas já chegou a 50 o numero de técnicas utilizadas e continua em crescimento.

Lista:

1. Bypassing Flash’s local-with-filesystem Sandbox
2. Abusing HTTP Status Codes to Expose Private Information
3. SpyTunes: Find out what iTunes music someone else has
4. CSRF: Flash + 307 redirect = Game Over
5. Close encounters of the third kind (client-side JavaScript vulnerabilities)
6. Tracking users that block cookies with a HTTP redirect
7. The Failure of Noise-Based Non-Continuous Audio Captchas
8. Kindle Touch (5.0) Jailbreak/Root and SSH
9. NULLs in entities in Firefox
10. Timing Attacks on CSS Shaders
11. CSRF with JSON – leveraging XHR and CORS
12. Double eval() for DOM based XSS
13. Hidden XSS Attacking the Desktop & Mobile Platforms
14. Rapid history extraction through non-destructive cache timing (v8)
15. Lotus Notes Formula Injection
16. Stripping Referrer for fun and profit
17. How to upload arbitrary file contents cross-domain (2)
18. Exploiting the unexploitable XSS with clickjacking
19. How to get SQL query contents from SQL injection flaw
20. XSS-Track as a HTML5 WebSockets traffic sniffer
21. Cross domain content extraction with fake captcha
22. Autocomplete..again?!
23. JSON-based XSS exploitation
24. DNS poisoning via Port Exhaustion
25. Java Applet Same-Origin Policy Bypass via HTTP Redirect
26. HOW TO: Spy on the Webcams of Your Website Visitors
27. Launch any file path from web page
28. Crowd-sourcing mischief on Google Maps leads customers astray
29. BEAST
30. Bypassing Chrome’s Anti-XSS filter
31. XSS in Skype for iOS
32. Cookiejacking
33. Stealth Cookie Stealing (new XSS technique)
34. SurveyMonkey: IP Spoofing
35. Using Cross-domain images in WebGL and Chrome 13
36. Filejacking: How to make a file server from your browser (with HTML5 of course)
37. Exploitation of “Self-Only” Cross-Site Scripting in Google Code
38. Expression Language Injection
39. (DOMinator) Finding DOMXSS with dynamic taint propagation
40. Facebook: Memorializing a User
41. How To Own Every User On A Social Networking Site
42. Text-based CAPTCHA Strengths and Weaknesses
43. Session Puzzling (aka Session Variable Overloading) Video 1, 2, 3, 4
44. Temporal Session Race Conditions Video 2
45. Google Chrome/ChromeOS sandbox side step via owning extensions
46. Excel formula injection in Google Docs
47. Drag and Drop XSS in Firefox by HTML5 (Cross Domain in frames)
48. CAPTCHA Hax With TesserCap
49. Multiple vulnerabilities in Apache Struts2 and property oriented programming with Java
50. Abusing Flash-Proxies for client-side cross-domain HTTP requests [slides]

Fonte: http://jeremiahgrossman.blogspot.com/2011/02/top-ten-web-hacking-techniques-of-2011.html