Top Ten Web Hacking Techniques of 2012

Currently in the process of collecting submissions. If you know of an attack technique published in 2012 that should be added, please post a link to the research in the comments. Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year: 2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51)  

The Top Ten

1. CRIME (1, 2, 3 4) by Juliano Rizzo and Thai Duong
2. Pwning via SSRF (memcached, php-fastcgi, etc) (2, 3, 4, 5)
3. Chrome addon hacking (2, 3, 4, 5)
4. Bruteforce of PHPSESSID
5. Blended Threats and JavaScript
6. Cross-Site Port Attacks
7. Permanent backdooring of HTML5 client-side application
8. CAPTCHA Re-Riding Attack
9. XSS: Gaining access to HttpOnly Cookie in 2012
10. Attacking OData: HTTP Verb Tunneling, Navigation Properties for Additional Data Access, System Query Options ($select)