Top 10 web hacking techniques of 2024

Exploiting the Clipboard API to inject XSS payloads through poisoned clipboard data in collaborative whiteboard applications.

Making HTTP/2 timing attacks feasible and effective across diverse web environments by addressing network and server noise through novel techniques like single-packet sync and exploiting scoped SSRF opportunities.

Automated discovery of protocol-level evasion vulnerabilities in WAFs using a novel testing methodology that exploits parsing discrepancies between WAF and web applications.

CTF-focused techniques

A novel HTTP Request Smuggling vector affecting Google Cloud-hosted websites.

Multi-sandwich attack exploiting MongoDB Object ID's predictable counter to monitor and intercept tokens in real-time.

Detecting and chaining indirect JavaScript prototype pollution gadgets using undefined properties for complex attack vectors like ACE and RCE.

Hijacking OAUTH flows via Cookie Tossing for Account Takeovers

Detailed analysis of patterns that enable race condition attacks on database transactions

Exploiting path traversal confusion in CDN and web server URL parsing to cache sensitive API endpoints for auth token theft.

User info extraction using placeholder injection via subject-to-description sanitization bypass in Zendesk.

New primitives and gadgets that enable the achievement of RCE from Prototype Pollutions previously deemed unexploitable

Automated exploitation of server-side prototype pollution using gadget identification.

DoubleClickjacking exploits the timing gap between mousedown and onclick events to bypass clickjacking protections and hijack user actions.

Chaining messaging APIs in browser extensions to bypass Same Origin Policy and trigger native application vulnerabilities for universal code execution.

Exploiting Unicode collation logic discrepancies in MSSQL to treat a goblin emoji as an empty string, enabling brute-force attacks.

Exploiting China's DNS poisoning for subdomain takeover via Fastly or XSS via vulnerable cPanel installations.

Arbitrary JavaScript execution through manipulated FontMatrix in PDF.js font rendering.

Accessing other collections via NoSQL injection in MongoDB aggregation pipelines using $lookup or $unionWith operators.

Offline manipulation of PostgreSQL filenodes for privilege escalation and RCE.

Gudifu uses guided differential fuzzing to discover HTTP request parsing discrepancies that can lead to new attack vectors such as HTTP request smuggling and cache poisoning.

Bypassing Lavamoat's policy file sandboxing through crafted multiline source map comments and evading SnowJS realm isolation via the deprecated document.execCommand function.

Exploiting inconsistencies in PHP mbstring functions to bypass Joomla's input sanitization leading to XSS vulnerabilities.

-- DO NOT VOTE FOR THIS ENTRY --

Using a bottom-up approach to more efficiently detect Java deserialization gadget chains and leveraging data flow dependencies for payload generation.

Leveraging Spring Boot's logging configuration properties to achieve remote code execution through Logback's JoranConfigurator.

Exploiting XPath vulnerabilities to bypass SAML signature validation in Ruby-SAML.

Bypassing WAFs using legacy support in cookie parsers through the $Version attribute and quoted-string encoding.

Exploiting an arbitrary file write vulnerability in a Node.js application to achieve remote code execution by writing to pipe file descriptors exposed via procfs.

Automated high-speed exploitation with PHP filter chains

Bypassing ServiceNow's template injection mitigations via sanitized style tag content for code execution.

JNDI injection to manipulate the pathname in MemoryUserDatabaseFactory for remote code execution via crafted XML and directory creation using BeanFactory method invocation.

Techniques to bypass multipart/form-data parsers by exploiting discrepancies in parameter handling, boundary recognition, and content validation, including duplicated parameters, omission of necessary delimiters, and alternate encoding sequences.

Exploiting internal headers in Next.js to control HTTP status codes and cache error pages.

Exploiting the javascript: pseudo-protocol with auto-submitting forms in OAuth 2.0 Form Post Response Mode and SAML POST-Binding to achieve XSS.

Wormable XSS on Bing using KML file and mixed-case JavaScript to bypass blacklist.

Cross Fork Object Reference (CFOR) vulnerability enables unauthorized access to sensitive data in deleted and private GitHub repositories using commit hashes.

Using multiple response_type values in Google OAuth to capture both id_token and authorization code in the URL fragment for account takeover.

Chaining DOM Clobbering with postMessage and CSP bypasses to escalate XSS.

DoS technique exploiting overly inclusive WAF rules to block legitimate content delivery.

Mutation XSS by leveraging node flattening, stack of open elements, and namespace confusion to bypass DOMPurify.

Exploiting sslauncher URL handler to achieve Remote Code Execution via MSI transform abuse.

Chain of Arbitrary File Write, Arbitrary File Read, and Local DLL Loading for RCE on Exchange.

Practical exploitation of time-based secrets

Protocol-level SQL injection attacks via database wire protocol smuggling.

Chaining multiple open redirect vulnerabilities in YouTube and Google Docs to perform a clickjacking attack granting editor access to Google Drive files.

Novel techniques exploiting URL parsing discrepancies to achieve arbitrary web cache poisoning and deception.

Exploiting Zendesk's lack of email spoofing safeguards to hijack ticket threads and gain unauthorized access to Slack accounts using OAuth.

Reflected arbitrary origins and alternate domain/subdomain trust in CORS configurations can permit unauthorized data exfiltration.

Bypassing facial recognition by exploiting AI's inability to distinguish between live human faces and deepfake images.

Platform for finding novel HTTP request smuggling vectors.

Exploiting relational filtering in Django ORM to leak sensitive data through many-to-many relationship and permission models.

Exploiting floating-point numbers with excessive digits to cause server DoS.

Using .NET cookieless sessions to obtain source code.

Abusing Bootsnap's cache manipulation to execute arbitrary code in restricted Rails environments.

Exploiting Windows Best-Fit character conversion for attacks like Path Traversal, Argument Injection, and RCE across various applications.

Exploiting Client-Side Path Traversal for CSRF by chaining GET and POST actions (CSPT2CSRF).

Recursive merge technique in Ruby to achieve class pollution for privilege escalation and RCE.

Exploiting email parsing discrepancies using encoded words and unicode overflows for access control bypass and potential RCE in web applications.

The _json juggling attack manipulates JSON parameters to bypass authorization in Ruby on Rails by exploiting the handling of _json keys.

Leaking text node content by using CSS animations to measure character heights and exfiltrating data via image requests.

Developing a universal RCE deserialization gadget chain for Ruby 3.4 that leverages RubyGems autoloading, uses 'rake' and 'make' commands for execution, and suppresses exceptions using an UncaughtThrowError object.

Uing browser navigation and keystrokes to execute actions on different websites via URL fragments.

Using time-based attacks on Prisma ORM to leak sensitive data by crafting queries that exploit relational filtering to cause significant execution delays.

Exploiting discrepancies in JavaScript number parsers for DoS via parameter pollution.

Exploiting YAML parser differentials and path traversal in tar file extraction to achieve arbitrary file write in GitLab.

Abusing edge-side includes and Unicode manipulation to bypass WAF.

Bypassing .NET Remoting security by leveraging XAML parsing to perform deserialization attacks that create privileged objects like WebClient for remote code execution despite TypeFilterLevel.Low and CAS restrictions.

Exploiting Vue.js CSTI through ENS name truncation to achieve XSS and manipulate NFT bids.

Exploring Javascript events & Bypassing WAFs via character normalization

XSS through manipulation of Content-Type headers.

Exploiting architectural flaws in Apache HTTP Server's module interactions to achieve insecure path access, predictable handler manipulation, and authentication bypass.

Using SSRF to capture session cookies by directing requests to a controlled server.

Authorization bypass due to short-term caching vulnerability.

Cookie tossing to escalate XSS vulnerabilities, OAuth Dirty Dancing for session takeover, and leveraging XSS for browser permission hijacking and DoS through WAF Frame-up techniques.

Unauthorized access to ISP-managed TR-069 APIs via authorization bypass, leading to full device takeover.

Exploiting inconsistent parsing of email headers across services for email spoofing and SMTP injection.

Expanding single-packet attack's capabilities by utilizing IP fragmentation and TCP sequence number reordering to exploit limit-overrun vulnerabilities.

Exploiting Service Worker registration in JIT-installed workers for XSS via manipulated payment manifests in Chrome.

Abusing the register_argc_argv PHP configuration to manipulate Craft CMS path handling and achieve Remote Code Execution via the FTP wrapper in Twig templates.

Exploiting ISO-2022-JP encoding to bypass sanitization and inject JavaScript when charset information is missing.

Bypassing HTML sanitizers using parsing differentials to exploit mutation-based XSS vulnerabilities.

Exploiting a buffer overflow in glibc's iconv function to achieve remote code execution in PHP applications, such as Roundcube, by manipulating session variables or leveraging deserialization vulnerabilities.

Synthesizing polyglot payloads for detecting blind XSS across multiple injection contexts without feedback channels.

HTTP/2 CONTINUATION Flood attack enables denial of service by exhausting server resources with an unending stream of headers lacking an END_HEADERS flag.