Published: 05 January 2022 at 14:35 UTC
Updated: 31 January 2022 at 15:02 UTC
Update: nominations are now closed, but voting is live! Cast your vote here.
Nominations are now open for the top 10 new web hacking techniques of 2021!
Every year security researchers share their discoveries via blog posts, presentations, and whitepapers. Every write-up is valuable, but some contain something special - innovative ideas and techniques that can be re-applied elsewhere. Since 2006, the security community has annually joined forces to sift through the year's findings and uncover the top ten pieces of research, selected for their innovation and lasting impact. At PortSwigger Research we're proud to be hosting this once again.
If this is your first time encountering this project, you can find the full origin, history and purpose of this project on our dedicated top 10 page, along with an archive of past winners and explanation of how it differs from related projects like the OWASP Top Ten.
Today: Start collecting community nominations for the top research from 2021.
Jan 17: Launch community vote to build a shortlist of the top 15.
Jan 24: Launch panel vote on shortlist to select and order the 10 finalists.
Feb 08: Publish top 10 of 2021!.
The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but typically age poorly, whereas underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year's top 10s.
To submit, simply provide a URL to the research, and an optional brief comment explaining what's novel about the work. Feel free to make as many nominations as you like, and nominate your own research if you think it's worthy! I'll filter out weaker nominations and merge overlapping ones to keep the total number manageable.
We don't collect email addresses - to get notified when the voting stage starts, follow @PortSwiggerRes on Twitter.