Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Top 10 web hacking techniques of 2024: nominations open

James Kettle

James Kettle

Director of Research

@albinowax


Nominations are now open for the top 10 new web hacking techniques of 2024!

Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, and whitepapers. These contributions are all invaluable, but some stand out for their innovative approaches and the potential to be re-applied or adapted in new ways. Since 2006, the community has come together annually to sift through this wealth of research and identify the top ten techniques that truly push the boundaries of web security.

Now it’s time to look back on 2024’s breakthroughs and forward to recognizing the most influential, inventive, and reusable research. Whether you’re an industry veteran or new to the project, you can explore our dedicated top 10 page to learn about the origins, history, and purpose of this initiative—plus an archive of past winners and highlights. Nominate your favorites, cast your votes, and help us crown the standout web hacking techniques of 2024!

This year, we'll target the following timeline:

Timeline

What should I nominate?

The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but typically age poorly, whereas underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year's top 10s.

Making a nomination

To submit, simply provide a URL to the research, and an optional brief comment explaining what's novel about the work. Feel free to make as many nominations as you like, and nominate your own work if you think it's worthy!

Click here to submit a nomination

Please note that I'll filter out nominations that are non-web focused, just tools, or not clearly innovative to keep the number of options in the community vote manageable. We don't collect email addresses - to get notified when the voting stage starts, follow @PortSwiggerRes on X, LinkedIn, or BlueSky.

Nominations

I've made a few nominations myself to get things started, and I'll update this list with fresh community nominations every few days. In the spirit of excessive automation, I've included AI-assisted summaries of each entry.

  • Gotta cache 'em all: bending the rules of web cache exploitation
    Novel techniques exploiting URL parsing discrepancies to achieve arbitrary web cache poisoning and deception.

  • Listen to the whispers: web timing attacks that actually work
    Making HTTP/2 timing attacks feasible and effective across diverse web environments by addressing network and server noise through novel techniques like single-packet sync and exploiting scoped SSRF opportunities.

  • Splitting the email atom: exploiting parsers to bypass access controls
    Exploiting email parsing discrepancies using encoded words and unicode overflows for access control bypass and potential RCE in web applications.

  • Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
    Exploiting architectural flaws in Apache HTTP Server's module interactions to achieve insecure path access, predictable handler manipulation, and authentication bypass.

  • Insecurity through Censorship: Vulnerabilities Caused by The Great Firewall
    Exploiteing China's DNS poisoning for subdomain takeover via Fastly or XSS via vulnerable cPanel installations.

  • Bypassing WAFs with the phantom $Version cookie
    Bypassing WAFs using legacy support in cookie parsers through the $Version attribute and quoted-string encoding.

  • ChatGPT Account Takeover - Wildcard Web Cache Deception
    Exploiting path traversal confusion in CDN and web server URL parsing to cache sensitive API endpoints for auth token theft.

  • Why Code Security Matters - Even in Hardened Environments
    Exploiting an arbitrary file write vulnerability in a Node.js application to achieve remote code execution by writing to pipe file descriptors exposed via procfs.

  • Remote Code Execution with Spring Properties
    Leveraging Spring Boot's logging configuration properties to achieve remote code execution through Logback's JoranConfigurator.

  • Exploring the DOMPurify library: Bypasses and Fixes
    Mutation XSS by leveraging node flattening, stack of open elements, and namespace confusion to bypass DOMPurify

  • Bench Press: Leaking Text Nodes with CSS
    Leaking text node content by using CSS animations to measure character heights and exfiltrating data via image requests.

  • Source Code Disclosure in ASP.NET apps
    Using .NET cookieless sessions to obtain source code.

  • http-garden: Differential fuzzing REPL for HTTP implementations.
    Platform for finding novel HTTP request smuggling vectors.

  • plORMbing your Prisma ORM with Time-based Attacks
    Using time-based attacks on Prisma ORM to leak sensitive data by crafting queries that exploit relational filtering to cause significant execution delays.

  • Introducing lightyear: a new way to dump PHP files
    Automated high-speed exploitation with PHP filter chains

  • The Ruby on Rails _json Juggling Attack
    The _json juggling attack manipulates JSON parameters to bypass authorization in Ruby on Rails by exploiting the handling of _json keys.

  • Encoding Differentials: Why Charset Matters
    Exploiting ISO-2022-JP encoding to bypass sanitization and inject JavaScript when charset information is missing.

  • A Race to the Bottom - Database Transactions Undermining Your AppSec
    Detailed analysis of patterns that enable race condition attacks on database transactions

  • Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule
    DoS technique exploiting overly inclusive WAF rules to block legitimate content delivery.

  • Unveiling TE.0 HTTP Request Smuggling: Discovering a Critical Vulnerability in Thousands of Google Cloud Websites
    A novel HTTP Request Smuggling vector affecting Google Cloud-hosted websites.

  • DoubleClickjacking: A New Era of UI Redressing
    DoubleClickjacking exploits the timing gap between mousedown and onclick events to bypass clickjacking protections and hijack user actions.

  • Devfile file write vulnerability in GitLab
    Exploiting YAML parser differentials and path traversal in tar file extraction to achieve arbitrary file write in GitLab.

  • Breaking Down Multipart Parsers: File upload validation bypass
    Techniques to bypass multipart/form-data parsers by exploiting discrepancies in parameter handling, boundary recognition, and content validation, including duplicated parameters, omission of necessary delimiters, and alternate encoding sequences.

  • Supply Chain Attacks: A New Era
    Bypassing Lavamoat’s policy file sandboxing through crafted multiline source map comments and evading SnowJS realm isolation via the deprecated document.execCommand function.

  • Abusing Intended Feature And Bypassing Facial Recognition.pptx
    Bypassing facial recognition by exploiting AI's inability to distinguish between live human faces and deepfake images.

  • Arc Browser UXSS, Local File Read, Arbitrary File Creation and Path Traversal to RCE
    Techniques to exploit Arc Browser include installing malicious boosts via UI spoofing, achieving Local File Read and Path Traversal for Remote Code Execution by manipulating boost configuration paths.

  • Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit
    Expanding single-packet attack's capabilities by utilizing IP fragmentation and TCP sequence number reordering to exploit limit-overrun vulnerabilities.

  • HTTP/2 CONTINUATION Flood: Technical Details
    HTTP/2 CONTINUATION Flood attack enables denial of service by exhausting server resources with an unending stream of headers lacking an END_HEADERS flag.

  • Exploring Javascript events & Bypassing WAFs via character normalization
    AI fail

  • From Arbitrary File Write to RCE in Restricted Rails apps
    Abusing Bootsnap's cache manipulation to execute arbitrary code in restricted Rails environments.

  • Go Go XSS Gadgets: Chaining a DOM Clobbering Exploit in the Wild
    Chaining DOM Clobbering with postMessage and CSP bypasses to escalate XSS.

  • Statamic CMS
    Path traversal through filename manipulation in file uploads.

  • Exploiting Number Parsers in JavaScript
    Exploiting discrepancies in JavaScript number parsers for DoS via parameter pollution.

  • [EN] Unsecure time-based secret and Sandwich Attack
    AI fail

  • DoubleClickjacking: A New Era of UI Redressing
    DoubleClickjacking is a novel UI redressing technique exploiting timing and event-order quirks in double-click sequences to bypass clickjacking protections.

  • Cross Window Forgery: A New Class of Web Attack
    The paper introduces "Cross Window Forgery," a new web attack technique using browser navigation and keystrokes to execute actions on different websites via URL fragments.

  • Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF
    Exploiting Client-Side Path Traversal for CSRF by chaining GET and POST actions (CSPT2CSRF).

  • Class Pollution in Ruby: A Deep Dive into Exploiting Recursive Merges
    Recursive merge technique in Ruby to achieve class pollution for privilege escalation and RCE.

  • Unveiling the Prototype Pollution Gadgets Finder
    Automated exploitation of server-side prototype pollution using gadget identification.

  • Hijacking OAUTH flows via Cookie Tossing
    Hijacking OAUTH flows via Cookie Tossing for Account Takeovers

  • Break the Wall from Bottom: Automated Discovery of Protocol-Level Evasion Vulnerabilities in Web Application Firewalls
    Automated discovery of protocol-level evasion vulnerabilities in WAFs using a novel testing methodology that exploits parsing discrepancies between WAF and web applications.

  • Old new email attacks
    Exploiting inconsistent parsing of email headers across services for email spoofing and SMTP injection.

  • CVE-2023-5480: Chrome new XSS Vector
    Exploiting Service Worker registration in JIT-installed workers for XSS via manipulated payment manifests in Chrome.

  • Wormable XSS www.bing.com. XSS on www.bing.com context via Maps…
    Wormable XSS on Bing using KML file and mixed-case JavaScript to bypass blacklist.

  • Another vision for SSRF
    Using SSRF to capture session cookies by directing requests to a controlled server.

  • WorstFit: Unveiling Hidden Transformers in Windows ANSI!
    Exploiting Windows Best-Fit character conversion for attacks like Path Traversal, Argument Injection, and RCE across various applications.

    • Top 10 Hacking Techniques top-10-techniques

    Back to all articles

    Related Research

    19 February 2024

    09 January 2024

    08 February 2023

    09 February 2022