It is 2009 and the underground cyber economy is flourishing. Spam has become a lucrative business, writing exploits fetches real money, financial fraud is on the rise and the worms are loose. Although this is nothing compared to the financial blunders that led to the current recession, it is interesting to know how all the pieces fit together. We've known about classic web hacking, exploiting binaries, shellcode, abusing protocols and tricking users. This talk explores how each vulnerability plays a key part in making the larger system come together - attack patterns of tomorrow, the objectives, motives and where all the pieces of the puzzle fit together. How do individual SQL Injection, Browser exploits, PDF bugs, XSS, etc fit together? What have we learned from the past, and what are the core design issues in HTTP, HTML, Browsers and application programming that make for mass ownership opportunities? In our quest for mashups and Web 2.0, have we compromised on fundamental security principles? Last year, I talked about some of the core problems that plagued browsers. This year, the talk goes beyond just browsers and looks at examples of mass ownage, new infection vectors, advanced client-side exploitation, malicious payloads, browser infection with toolbars and more. Everything is assembled before your very eyes! And as a bonus, I will demonstrate some of my own attempts at defeating Web Application Firewalls and Browser Firewalls (yes there is such a creature called a Browser Firewall)