Personal Fav. #4:
Preauth leak + XSS on preauth URL
çSome pages can be viewed without password
çIdeal when web interface only on LAN
çTargets the internal user who can “see” the device’s web interface
çSome preauth leaks are WAY TOO GOOD – ie: WEP keys or admin passwords
çAdmin doesn’t need to be logged-in since device’s URL can be viewed by anyone
çReal example: BT Home Hub (tested on firmware 6.2.2.6 )