I know this is a teensy bit on the late side - this is our first year after taking it over from WhiteHat. Anyway hopefully it's a valuable introduction to some new threats that everyone doing stuff related to websites should be aware of.
The blog version of regilero's HTTP smuggling is a really good read.<p><a href="http://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/" rel="nofollow">http://regilero.github.io/security/english/2015/10/04/http_s...</a>
I've read the first of the list (#10), and I'm skeptical this "top web technique" has ever been used in the wild.<p>The blog post starts with a few obvious errors. OPcache is parts of PHP since [PHP 5.5](<a href="http://php.net/manual/en/opcache.installation.php" rel="nofollow">http://php.net/manual/en/opcache.installation.php</a>), not PHP7. And "PHP7 by Rasmus Lerdof" is almost a joke: he was certainly not a top contributor to this iteration. These errors are not important _per se_, but they point to an overall lack of quality, and suggest no one reviewed before publication.<p>The article is not very clear about the vectors one needs to attack. Here is the list:<p>1. A non-standard configuration that enables file cache in OPcache. Very improbable.<p>2. An access to the result of phpinfo() which gives many sensible details about the PHP instance.<p>3. A security breach allowing the attacker to upload files into the cache path without restriction on the file name.<p>4. The URL to a PHP file that received no HTTP query since the PHP server started. The alternative is a configuration that disables in-memory caching in OPcache, but that would be far too contrived.<p>When the server has all these vulnerabilities but uses write-protected PHP files, then you can hack OPcache for remote code execution.
Much of the scariest XSS (aka, most difficult to prevent) comes from the DOM these days.<p>Edge, FF and Chrome don't follow the spec as well as they should, and the result is a lot of minor browser incompatibilities that are very hard to detect and fix.<p>Each browser is making modifications to the DOM spec, many of whom make introducing XSS and XSRF into a web app very easy.<p>Deep DOM and JS knowledge is a must have for pen testers these days.