Top 10 Web Hacking Techniques 2017

Update: nominations have now closed, and the community vote has started.

Nominations are now open for the Top 10 Web Hacking Techniques of 2017.

Every year, numerous security researchers choose to share their findings with the community through conference presentations, blog posts, whitepapers, videos, and even simple disclosures. This is great, but the sheer volume and diversity means understated discoveries from aspiring researchers can be overlooked, and even flashy vulnerabilities eventually get eclipsed and forgotten as people chase after the next shiny logo. 

To help draw deserved attention to the most exciting and innovative research, since 2006 Jeremiah Grossman and Matt Johansen have annually collaborated with the infosec community to pick the top 10 new web hacking techniques of each year. Each year this produced two invaluable resources - a refined selection of ten must-read publications relevant to everyone in web security, and a vast list of research for other would-be researchers.

This was initially run on Jeremiah’s blog, then moved to WhiteHat’s in 2011:

200620072008200920102011201220132014, and 2015.

Unfortunately it stopped in 2015, but I believe it’s needed now more than ever, so we’ve decided to pick up the torch at PortSwigger.

It’s a bit late in the year, but we’ll start right now with the top web hacking techniques of 2017.

Here’s the plan:

  • Now: Start collecting and verifying community nominations.
  • August: We’ll launch a community vote to elect a shortlist.
  • September: A small panel of experts will vote on the shortlist to select the top 10, and we’ll publish the results.

To keep things clean, we'll be excluding our own research from the top ten.

To nominate a piece of research, either reply to this Twitter post, comment on this Reddit thread, or use this form. Feel free to make multiple nominations, and nominate your own research, etc. If you want, you can take a look at past years’ top 10 to get a feeling for what people feels constitutes great research. Also, since 2016 was missed out, feel free to submit any particularly outstanding research from then.

Finally, whether this is successful or not ultimately depends on community involvement. We appreciate your contributions!

Nominations so far

Here are the nominations so far. We're making offline archives of them all as we go, so we can replace any that go missing in future. A few people nominated research published in 2018, so I've added that to a separate list for next year.