The 2011 Pwnie Winner For Best Server-Side Bug

ASP.NET Framework Padding Oracle (CVE-2010-3332)

Credit: Juliano Rizzo, Thai Duong

Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.