Top 10 web hacking techniques of 2025

Authentication bypass by swapping the non-discoverable WebAuthn flow's credential binding so a challenge issued for a victim's username can be satisfied with the attacker's passkey, yielding account takeover.

Abusing AEAD tag-length truncation in OpenSSL bindings to brute-force short tags, then leveraging the resulting nonce-reuse condition to recover the GHASH/Poly1305 subkey and forge/decrypt arbitrary ciphertexts via a format-validity oracle.

Abusing SVG filter pipelines on cross-origin iframes to read selected pixels and implement logic-gated, multi-step interactive clickjacking with exfiltration via user-scanned QR codes generated entirely inside the filter.

Chaining a spoofable framework-internal header with Next.js data-request mechanisms to force-cache SSR JSON as HTML, enabling cache-poisoning DoS and stored XSS via stale-while-revalidate.

Chaining a referrer-based auth bypass with an init-phase ToolPane invocation and a generic-wrapper type-confusion to defeat DataSetSurrogateSelector's allowlist, then reaching TemplateParser via a templated safe control to trigger a deserializing gadget for one-request pre-auth RCE.

Adapting the last-byte-sync single-packet race technique to HTTP/3 by buffering near-complete requests across many QUIC streams and then releasing them simultaneously via a coordinated FIN "last-byte" burst (Quic-Fin-Sync).

Leveraging CSWSH via WebSocket-accessible GraphQL to bypass preflight-gated CSRF protections, plus showing that Private Network Access doesn't apply to WebSockets so cross-origin WebSockets can still reach private-IP services.

Leveraging HTTP/2 CONNECT stream multiplexing to turn misconfigured forward proxies into a high-throughput internal port scanner over a single connection, potentially evading monitoring that can't inspect per-stream tunnels.

Prompt-injecting untrusted issue/PR/commit text into AI-agent prompts in CI/CD to coerce privileged tool execution, enabling secret exfiltration and repository manipulation.

Triggering an integer signedness wrap in Ruby Array#pack repeat-count parsing to turn the X "back up" directive into a negative shrink that grows the string length and leaks out-of-bounds heap memory.

Triggering SQLi by abusing PDO emulated-prepare SQL-scanner misparsing - using null bytes and escape/comment boundary tricks to make user-controlled text get reinterpreted as bind placeholders, including cross-dialect issues in older unified parsers.

Chaining client-side path traversal in SPA/REST fetch routing (via backslash/double-encoding normalization) with open redirects or user-uploaded JSON to spoof API responses and reach DOM XSS/URL-leak-driven OAuth takeover.

Chaining Nginx route exposure, a hard-coded JWT signing secret, leaked internal API keys, an SSRF URL-concatenation trick to reach host-only endpoints that mint an admin session, and finally a rule-engine eval sink made reachable by importing a tampered encrypted rule package using a static AES key to bypass validation for pre-auth RCE.

Chaining cross-site ETag length variation into a 431-induced navigation failure and detecting it via Chromium history replacement to build an XS-Leak oracle.

Exploiting redirect-loop status-code variation (cycling uncommon 3xx responses) to trigger an application error state that leaks the full SSRF redirect chain and final 200 response.

Exploiting parser differentials - mismatches between how components interpret the same input - to turn benign-looking data into security bypasses.

Abusing credentialless iframes' same-origin access plus login CSRF/clickjacking to turn stored self-XSS into stored XSS, and using fetchLater's deferred requests to execute authenticated actions later even after the tab closes (bypassing framing limits).

Leveraging Expect handling quirks and early-response gadgets to turn 0.CL deadlocks into reliable double-desync request smuggling that enables response queue poisoning and cross-tenant cache/content hijacking.

Abusing CSS-only injection with a crafted ligature font and container queries to turn per-character glyph-width differences into conditional network requests, plus browser-specific import/font chaining to iterate indices and exfiltrate long text (including inline script secrets) even under common sanitizers.

Combining single-packet parallelization with HTTP/2→HTTP/1 downgrade desync to reliably detect and exploit request tunnelling for frontend rule/rewriter bypasses (notably via whitespace-tolerant length-header mutations in major load balancers/CDNs).

Void Canonicalization: forcing canonicalization to error so signature-digest code treats the signed data as empty, combined with parser namespace/attribute inconsistencies to make signature verification and assertion processing diverge for full SAML auth bypass.

Chaining unauthenticated upstream metadata APIs to recursively reconstruct an entitlement workflow and reach protected media streams, guided by entropy-based discovery of the first sensitive reference (RRE).

Forcing bfcache to fall back to disk cache to reuse a leaked CSP nonce (via CSS exfiltration) while recaching only the injectable fetched content through cache-key manipulation, enabling nonce-based CSP bypass.

Bypassing search-term sanitization by abusing MySQL full-text boolean operator parsing and early-exit length checks to turn result-vs-error redirects into a blind oracle for enumerating otherwise-hidden thread titles.

Abusing .NET SOAP proxy generation from attacker-supplied WSDL to set a non-HTTP scheme that turns SOAP invocations into arbitrary file writes (and NTLM relay) culminating in webshell/script drop RCE.

Abusing production-whitelisted localhost OAuth origins/redirects on mobile by running a malicious loopback webserver to silently capture tokens via auto-reauthentication, plus exploiting mixed-content CORS allowing credentialed requests from insecure subdomains via MITM with browser-specific cookie behavior.

Using CL.0 desync with GET bodies to globally poison cached 3xx redirects so the Location header becomes a stealth C2 side channel.

New HTTP request smuggling primitives exploiting chunked parsing discrepancies via two-byte chunk-body terminator overreads and ambiguous trailer-section newline handling (including request merging enabled by early-response gadgets).

Weaponizing unvalidated forwarded headers to take over server-side URL construction and exploit WHATWG parser edge-cases to bypass path-based middleware and even whitelist patches, enabling SSRF and cache-poisoning SXSS.

Abusing server-side MDX evaluation for RCE, then leveraging cross-tenant static asset fetching and URL-encoded path traversal to trigger one-click XSS on customer domains and bypass the patch.

Chaining Markdown/HTML linkification and cross-product export layers to flip sanitized links into images and evade URL rewriting, enabling zero/one-click Workspace data exfiltration via indirect prompt injection.

Achieving Python RCE from dirty arbitrary file write by overwriting valid `.pyc` headers to load injected bytecode without restart, or more powerfully by dropping a compiled extension module that import resolution prefers over `.py`/`.pyc`, optionally forcing a re-import via process reload triggers.

DOM-based extension clickjacking that hides and repositions password-manager autofill UI injected into the page DOM so a single coerced click triggers secret autofill into attacker-controlled fields for exfiltration.

Triggering quirks mode via early PHP warnings to relax same-origin stylesheet MIME checks, then using 404-reflected text as a CSS sink plus :valid-based regex matching and frame-counting as a no-request oracle to exfiltrate secrets under CSP.

Predicting password-reset tokens by exploiting reduced Bash $RANDOM seed entropy (timestamp XOR without bit-shifting) to shrink the brute-force space to a feasible time window and achieve admin takeover.

Abusing Beego's filter-expression segment-overwrite quirk to smuggle disallowed fields past partial validation, plus Prisma auth bypass via type confusion that coerces user input into operator objects through common request parsers.

Leveraging Windows UNC paths via file/netdoc handlers to exfiltrate multi-line XXE data over SMB when JDK FTP/HTTP OOB channels are newline-sanitized.

Abusing browser navigation-blocking quirks (URL/protocol restrictions, induced error pages plus Navigation API history leakage, redirect-throttling via rapid same-site navigations, and sandboxing without allow-forms to suppress auto-submitted form redirects) to keep OAuth callback codes readable before they're consumed.

Abusing chunked-body line-terminator ambiguity inside ignored chunk extensions and oversized-chunk spill to create new request-smuggling differentials (including the newly identified EXT.TERM and spill-based variants) without relying on Content-Length vs Transfer-Encoding confusion.

State-aware WebSocket fuzzing that replays prerequisite handshake messages, isolates each payload in a fresh connection, then correlates all asynchronous responses captured within a time window using behavior-based anomaly metrics.

Chaining unauthenticated admission-webhook NGINX config injection with abusing client-body buffering plus ProcFS file-descriptor reuse to load a transient in-container shared library via an obscure directive during config testing for RCE.

CSV Injection but different!

Clickjacking Safari's unfocused, still-clickable TCC prompts by overlaying them with a pop-up and using rapid resize race-condition flicker or double-click window-closing to misdirect clicks into granting camera/mic/location permissions.

Chaining libxml2 parameter-entity expansion quirks with PHP stream wrappers and filter-chains to bypass nonet/double-parse/doctype checks, inline a compressed DTD via data:, and exfiltrate files over DNS.

Leveraging same-origin script execution to steal and replay OAuth authorization responses while "breaking" the redirect flow (e.g., via response-mode switching/window interruption) to perform authorization code injection that bypasses BFF and PKCE by harvesting server-set pre-auth cookies out-of-band.

Chaining arbitrary file-write via path traversal with ASP.NET MVC view resolution to get Razor execution by invoking a routed action (no extension) so the view engine loads and compiles a planted view file despite IIS extension whitelisting.

Weaponizing Unicode normalization mismatches (virtual confusables/best-fit mappings and truncation/overflow edge cases) to bypass validation and turn benign input into malicious behavior.

Bypassing PDF-renderer path-traversal mitigations via URL-decoding/double-encoding quirks and exploiting PDF-generation resource loaders to trigger phar stream-wrapper deserialization and "security hook runs too late" SSRF.

Abusing a strict connect-src allowlist by redirecting an auth-token POST to New Relic and then exfiltrating the JSON body via NRQL error-log sampling, enabled by a URL-parsing/authentication discrepancy that treats path-embedded key material as valid.

Cross-protocol application-layer desynchronization by MITM-switching a victim's implicit TLS connection onto an opportunistic TLS upgrade endpoint to inject pre-handshake messages and permanently misalign request/response streams.

Triggering server-initiated HTTP/2 stream resets via stream-scoped protocol errors after request admission to bypass MAX_CONCURRENT_STREAMS and drive unbounded backend work for DoS

Chaining Chromium HTMLCollection DOM clobbering with a library-driven node-removal gadget to null out an escaping function at runtime, then pivoting into an innerHTML iframe-attribute injection sink to bypass DOMPurify and get XSS.

Abusing implicit `toString` coercion to invoke a global "his.foo(this.bar)" gadget chain that pivots expression-sandbox member access into `eval` for DOM XSS, with a noted variant enabling argumentless function-call WAF bypass via `valueOf`-style coercion.

Leveraging reflected runtime errors to exfiltrate code/template-evaluation output and using conditional error triggering as a boolean-blind oracle for Code Injection and SSTI without time delays.

Racing Next.js's response-cache batcher by forcing disparate failing requests to collide on a shared error cache-key, leaking a transient pageProps HTML variant that can then be externally cached for poisoning-to-SXSS despite prior fixes.

Compromising widely embedded support widgets to inherit and weaponize delegated browser permissions at scale via account-takeover-to-widget-code-injection chains (XSS/HTML injection plus CSP bypasses).

Using Chromium connection-pool exhaustion plus deterministic host-sorting as a timing oracle to infer cross-origin fetch and redirect destinations (including subdomains) without injection.

Chaining CRLF response splitting into a same-origin script load that itself performs a second response split to emit truncated JavaScript, bypassing strict CSP via Content-Length/Transfer-Encoding manipulation ("nested response splitting").

The return of Zip Slip!

Exploiting an IPv6-specific multi-`@` userinfo parsing discrepancy between an OAuth redirect validator and the browser to bypass loopback-only allowlists and exfiltrate authorization codes for account takeover.

Chaining Go's case-insensitive JSON key matching, last-wins duplicate keys, and XML's tolerance for leading/trailing garbage to craft cross-format polyglot inputs that different services/parsers interpret differently, enabling authz/authn bypasses.