Top 10 Web Hacking Techniques of 2017 - Nominations Open

James Kettle

Director of Research

@albinowax

• Published: 17 July 2018 at 15:32 UTC

• Updated: 09 February 2023 at 16:03 UTC

Update: the results are now in!

Nominations are now open for the Top 10 Web Hacking Techniques of 2017.

Every year, numerous security researchers choose to share their findings with the community through conference presentations, blog posts, whitepapers, videos, and even simple disclosures. This is great, but the sheer volume and diversity means understated discoveries from aspiring researchers can be overlooked, and even flashy vulnerabilities eventually get eclipsed and forgotten as people chase after the next shiny logo. 

To help draw deserved attention to the most exciting and innovative research, since 2006 Jeremiah Grossman and Matt Johansen have annually collaborated with the infosec community to pick the top 10 new web hacking techniques of each year. Each year this produced two invaluable resources - a refined selection of ten must-read publications relevant to everyone in web security, and a vast list of research for other would-be researchers.

This was initially run on Jeremiah’s blog, then moved to WhiteHat’s in 2011:2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, and 2015.

Unfortunately it stopped in 2015, but I believe it’s needed now more than ever, so we’ve decided to pick up the torch at PortSwigger.

It’s a bit late in the year, but we’ll start right now with the top web hacking techniques of 2017.

Here’s the plan:

• Now: Start collecting and verifying community nominations.
  
• August: We’ll launch a community vote to elect a shortlist.
• September: A small panel of experts will vote on the shortlist to select the top 10, and we’ll publish the results.

To keep things clean, we'll be excluding our own research from the top ten.

To nominate a piece of research, either reply to this Twitter post, comment on this Reddit thread, or use this form. Feel free to make multiple nominations, and nominate your own research, etc. If you want, you can take a look at past years’ top 10 to get a feeling for what people feels constitutes great research. Also, since 2016 was missed out, feel free to submit any particularly outstanding research from then.

Finally, whether this is successful or not ultimately depends on community involvement. We appreciate your contributions!

Nominations so far

Here are the nominations so far. We're making offline archives of them all as we go, so we can replace any that go missing in future. A few people nominated research published in 2018, so I've added that to a separate list for next year.

• How I hacked hundreds of companies through their helpdesk
• Web Cache Deception Attack
• GitHubs post-CSP journey
• Request encoding to bypass web application firewalls
• Binary Webshell Through OPcache in PHP 7
• A deep dive into AWS S3 access controls taking full control over your assets
• CVE-2018-5175: Universal CSP strict-dynamic bypass in Firefox
• HaXmas: The True Meaning(s) of Metasploit
• The Good, The Bad and The Ugly of Safari in Client-Side Attacks
• Modern Alchemy: Turning XSS into RCE
• My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, e
• Dont Trust The DOM: Bypassing XSS Mitigations Via Script Gadgets
• From Markdown to RCE in Atom
• The Absurdly Underestimated Dangers of CSV Injection
• Rare ASP.NET request validation bypass using request encoding
• Password Not Provided - Compromising Any Flurry Users Account
• $10k host header
• The .io Error - Taking Control of All .io Domains With a Targeted Registration
• Pivoting from blind SSRF to RCE with HashiCorp Consul
• Exploiting the unexploitable with lesser known browser tricks
• Why CSP Should be carefully crafted: Twitter XSS CSP Bypass 
• Text/Plain Considered Harmful
• Autobinding vulns and Spring MVC
• Stealing Messenger.com Login Nonces
• Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token
• 1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
• The Attack of the Alerts and the Zombie Script (IE)
• Shopware 5.3.3: PHP Object Instantiation to Blind XXE
• Assorted WordPress DB prepare exploits
• A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
• Cure53 Browser Security Whitepaper
• Friday-The-13th-JSON-Attacks-wp.pdf
• X41 Browser Security Whitepaper
• How I used google dorks to find 0-days
• MITM Attacks on HTTPS: Another Perspective
• Google Maps XSS (by fiddling with Protobuf)
• Advanced Flash Vulnerabilities

Back to all articles