Top 10 web hacking techniques of 2025: call for nominations

James Kettle

Director of Research

Published: 06 January 2026 at 15:31 UTC
Updated: 07 January 2026 at 09:55 UTC

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable techniques can get buried, and even flashy findings eventually get eclipsed as everyone chases the next shiny logo.

Since 2006, the community has come together each year to turn that firehose into two useful resources:

A lightly curated list of notable web security research from the last year
A focused top ten of the most valuable, must-read work

If you want to dig through past nominees and winners or learn more about the project history, check out the full project archive. Otherwise, read on to find out how to make your nominations for 2025.

This year, we'll target the following timeline:

Timeline

Jan 6-13: Collect community nominations for the top research from 2024
Jan 14-21: Community votes on nominations to build a shortlist of the top 15
Jan 22: Launch panel vote on shortlist to select and order the 10 finalists
Feb 03: Publish top 10 web hacking techniques of 2025!

What should I nominate?

The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but typically age poorly, whereas underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year's top 10s.

Making a nomination

To submit, simply provide a URL to the research, and an optional brief comment explaining what's novel about the work. Feel free to make as many nominations as you like, and nominate your own work if you think it's worthy!

Click here to submit a nomination

Please note that I'll filter out nominations that are non-web focused, just tools, or not clearly innovative to keep the number of options in the community vote manageable. We don't collect email addresses - to get notified when the voting stage starts, follow @PortSwiggerRes on X, LinkedIn, or BlueSky.

Join the community

We'd love to hear from you! If you have any questions or you'd like to discuss this year's batch of research, join us in the #research channel on the PortSwigger Discord.

Nominations - last updated 2026-01-06

I've made a few nominations myself to get things started, and I'll update this list with fresh community nominations every few days. I've included AI-assisted summaries of each entry.

Eclipse on Next.js: Conditioned exploitation of an intended race-condition
Racing Next.js’s response-cache batcher by forcing disparate failing requests to collide on a shared error cache-key, leaking a transient pageProps HTML variant that can then be externally cached for poisoning-to-SXSS despite prior fixes.

Next.js, cache, and chains: the stale elixir
Chaining a spoofable framework-internal header with Next.js data-request mechanisms to force-cache SSR JSON as HTML, enabling cache-poisoning DoS and stored XSS via stale-while-revalidate.

Unexpected security footguns in Go's parsers
Chaining Go’s case-insensitive JSON key matching, last-wins duplicate keys, and XML’s tolerance for leading/trailing garbage to craft cross-format polyglot inputs that different services/parsers interpret differently, enabling authz/authn bypasses.

HTTP/1.1 must die: the desync endgame
Leveraging Expect handling quirks and early-response gadgets to turn 0.CL deadlocks into reliable double-desync request smuggling that enables response queue poisoning and cross-tenant cache/content hijacking.

Under the Beamer
Chaining Chromium HTMLCollection DOM clobbering with a library-driven node-removal gadget to null out an escaping function at runtime, then pivoting into an innerHTML iframe-attribute injection sink to bypass DOMPurify and get XSS.

Opossum Attack
Cross-protocol application-layer desynchronization by MITM-switching a victim’s implicit TLS connection onto an opportunistic TLS upgrade endpoint to inject pre-handshake messages and permanently misalign request/response streams.

The Fragile Lock: Novel Bypasses For SAML Authentication
Void Canonicalization: forcing canonicalization to error so signature-digest code treats the signed data as empty, combined with parser namespace/attribute inconsistencies to make signature verification and assertion processing diverge for full SAML auth bypass.

Funky chunks: abusing ambiguous chunk line terminators for request smuggling
Abusing chunked-body line-terminator ambiguity inside ignored chunk extensions and oversized-chunk spill to create new request-smuggling differentials (including the newly identified EXT.TERM and spill-based variants) without relying on Content-Length vs Transfer-Encoding confusion.

Funky chunks – addendum: a few more dirty tricks
New HTTP request smuggling primitives exploiting chunked parsing discrepancies via two-byte chunk-body terminator overreads and ambiguous trailer-section newline handling (including request merging enabled by early-response gadgets).

Cross-Site WebSocket Hijacking Exploitation in 2025
Leveraging CSWSH via WebSocket-accessible GraphQL to bypass preflight-gated CSRF protections, plus showing that Private Network Access doesn’t apply to WebSockets so cross-origin WebSockets can still reach private-IP services.

SVG Filters - Clickjacking 2.0
Abusing SVG filter pipelines on cross-origin iframes to read selected pixels and implement logic-gated, multi-step interactive clickjacking with exfiltration via user-scanned QR codes generated entirely inside the filter.

Nonce CSP bypass using Disk Cache
Forcing bfcache to fall back to disk cache to reuse a leaked CSP nonce (via CSS exfiltration) while recaching only the injectable fetched content through cache-key manipulation, enabling nonce-based CSP bypass.

Novel SSRF Technique Involving HTTP Redirect Loops
Exploiting redirect-loop status-code variation (cycling uncommon 3xx responses) to trigger an application error state that leaks the full SSRF redirect chain and final 200 response.

Lost in Translation: Exploiting Unicode Normalization
Weaponizing Unicode normalization mismatches (virtual confusables/best-fit mappings and truncation/overflow edge cases) to bypass validation and turn benign input into malicious behavior.

SOAPwn: Pwning .NET Framework Applications Through HTTP Client Proxies And WSDL
Abusing .NET SOAP proxy generation from attacker-supplied WSDL to set a non-HTTP scheme that turns SOAP invocations into arbitrary file writes (and NTLM relay) culminating in webshell/script drop RCE.

Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests
Triggering quirks mode via early PHP warnings to relax same-origin stylesheet MIME checks, then using 404-reflected text as a CSS sink plus :valid-based regex matching and frame-counting as a no-request oracle to exfiltrate secrets under CSP.

ORM Leaking More Than You Joined For
Abusing Beego’s filter-expression segment-overwrite quirk to smuggle disallowed fields past partial validation, plus Prisma auth bypass via type confusion that coerces user input into operator objects through common request parsers.

Top 10 Hacking Techniques top-10-techniques

Back to all articles