Top ten web hacking techniques of 2024: nominations open

– **Published:** 08 January 2025 at 14:07 UTC

– **Updated:** 08 January 2025 at 14:07 UTC

Nominations are now open for the top 10 new web hacking techniques of 2024!

Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, and whitepapers. These contributions are all invaluable, but some stand out for their innovative approaches and the potential to be re-applied or adapted in new ways. Since 2006, the community has come together annually to sift through this wealth of research and identify the top ten techniques that truly push the boundaries of web security.

Now it’s time to look back on 2024’s breakthroughs and forward to recognizing the most influential, inventive, and reusable research. Whether you’re an industry veteran or new to the project, you can explore our dedicated top 10 page to learn about the origins, history, and purpose of this initiative—plus an archive of past winners and highlights. Nominate your favorites, cast your votes, and help us crown the standout web hacking techniques of 2024!

This year, we’ll target the following timeline:

### Timeline

– Jan 8-14: Collect community nominations for the top research from 2024
– Jan 15-21: Community votes on nominations to build a shortlist of the top 15
– Jan 22: Launch panel vote on shortlist to select and order the 10 finalists
– Feb 04: Publish top 10 of 2024!

### What should I nominate?

The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but typically age poorly, whereas underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year’s top 10s.

### Making a nomination

To submit, simply provide a URL to the research, and an optional brief comment explaining what’s novel about the work. Feel free to make as many nominations as you like, and nominate your own work if you think it’s worthy!

#### Click here to submit a nomination

Please note that I’ll filter out nominations that are non-web focused, just tools, or not clearly innovative to keep the number of options in the community vote manageable. We don’t collect email addresses – to get notified when the voting stage starts, follow @PortSwiggerRes on X, LinkedIn, or BlueSky.

### Nominations

I’ve made a few nominations myself to get things started, and I’ll update this list with fresh community nominations every few days. In the spirit of excessive automation, I’ve included AI-assisted summaries of each entry.

Gotta cache ’em all: bending the rules of web cache exploitation

Novel techniques exploiting URL parsing discrepancies to achieve arbitrary web cache poisoning and deception.
Listen to the whispers: web timing attacks that actually work

Making HTTP/2 timing attacks feasible and effective across diverse web environments by addressing network and server noise through novel techniques like single-packet sync and exploiting scoped SSRF opportunities.
Splitting the email atom: exploiting parsers to bypass access controls

Exploiting email parsing discrepancies using encoded words and unicode overflows for access control bypass and potential RCE in web applications.
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

Exploiting architectural flaws in Apache HTTP Server’s module interactions to achieve insecure path access, predictable handler manipulation, and authentication bypass.
Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall

Exploiteing China’s DNS poisoning for subdomain takeover via Fastly or XSS via vulnerable cPanel installations.
Bypassing WAFs with the phantom $Version cookie

Bypassing WAFs using legacy support in cookie parsers through the $Version attribute and quoted-string encoding.
ChatGPT Account Takeover – Wildcard Web Cache Deception

Exploiting path traversal confusion in CDN and web server URL parsing to cache sensitive API endpoints for auth token theft.
Why Code Security Matters – Even in Hardened Environments

Exploiting an arbitrary file write vulnerability in a Node.js application to achieve remote code execution by writing to pipe file descriptors exposed via procfs.
Remote Code Execution with Spring Properties

Leveraging Spring Boot’s logging configuration properties to achieve remote code execution through Logback’s JoranConfigurator.
Exploring the DOMPurify library: Bypasses and Fixes

Mutation XSS by leveraging node flattening, stack of open elements, and namespace confusion to bypass DOMPurify
Bench Press: Leaking Text Nodes with CSS

Leaking text node content by using CSS animations to measure character heights and exfiltrating data via image requests.
Source Code Disclosure in ASP.NET apps

Using .NET cookieless sessions to obtain source code.
http-garden: Differential fuzzing REPL for HTTP implementations.

Platform for finding novel HTTP request smuggling vectors.
plORMbing your Prisma ORM with Time-based Attacks

Using time-based attacks on Prisma ORM to leak sensitive data by crafting queries that exploit relational filtering to cause significant execution delays.
Introducing lightyear: a new way to dump PHP files

Automated high-speed exploitation with PHP filter chains
The Ruby on Rails _json Juggling Attack

The _json juggling attack manipulates JSON parameters to bypass authorization in Ruby on Rails by exploiting the handling of _json keys.
Encoding Differentials: Why Charset Matters

Exploiting ISO-2022-JP encoding to bypass sanitization and inject JavaScript when charset information is missing.
A Race to the Bottom – Database Transactions Undermining Your AppSec

Detailed analysis of patterns that enable race condition attacks on database transactions
Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule

DoS technique exploiting overly inclusive WAF rules to block legitimate content delivery.
Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites

A novel HTTP Request Smuggling vector affecting Google Cloud-hosted websites.

DoubleClickjacking: A New Era of UI Redressing

DoubleClickjacking exploits the timing gap between mousedown and onclick events to bypass clickjacking protections and hijack user actions.
Devfile file write vulnerability in GitLab

Exploiting YAML parser differentials and path traversal in tar file extraction to achieve arbitrary file write in GitLab.

Leave a Reply

Your email address will not be published. Required fields are marked *