• Published: 09 January 2024 at 14:33 UTC

• Updated: 09 January 2024 at 14:38 UTC

Nominations are now open for the top 10 new web hacking techniques of 2023!

Over the last year, numerous security researchers have shared their discoveries with the community through blog posts, presentations and whitepapers. Many of these posts contain innovative ideas waiting for the right person to adapt and combine them into new discoveries in future.

However, the sheer volume can leave good techniques overlooked and quickly forgotten. Since 2006, the community has come together every year to help by building two valuable resources

• A full list of all notable web security research from the last year
• A refined list of the top ten most valuable pieces of work

Check out the full project archive for past nominees and winners. Read on to find out how you can make your nominations from 2023!

This year, we'll target the following timeline:

Timeline

• Jan 9-21: Collect community nominations
• Jan 23-30: Community vote to build shortlist of top 15
• Feb 1-13: Expert panel vote on final 15
• Feb 15: Results announced!

What should I nominate?

The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but age relatively poorly, whereas underlying techniques such as JNDI Injection can often be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year's top 10s.

How to make a nomination

To submit, simply provide a URL to the research, and an optional brief comment explaining what's novel about the work. Feel free to make as many nominations as you like, and nominate your own work if you think it's worthy! 

Click here to submit a nomination

Please note that I'll filter out weaker nominations and merge overlapping ones to keep the number of options in the community vote manageable. We don't collect email addresses - to get notified when the voting stage starts, follow @PortSwiggerRes or @[email protected].

Nominations so far

I've made a few nominations myself to get things started, and I'll update this list with fresh community nominations every few days.

• Ransacking your password reset tokens
• mTLS: When certificate authentication is done wrong
• Smashing the state machine: the true potential of web race conditions
• Bypass firewalls with of-CORs and typo-squatting
• RCE via LDAP truncation on hg.mozilla.org
• Cookie Bugs - Smuggling & Injection
• OAuth 2.0 Redirect URI Validation Falls Short, Literally
• Prototype Pollution in Python - Abdulrah33m's Blog
• Pretalx Vulnerabilities: How to get accepted at every conference
• From Akamai to F5 to NTLM... with love.
• can I speak to your manager? hacking root EPP servers to take control of zones
• Blind CSS Exfiltration: exfiltrate unknown web pages
• Compromising F5 BIGIP with Request Smuggling
• Server-side prototype pollution: Black-box detection without the DoS
• Tricks for Reliable Split-Second DNS Rebinding in Chrome and Safari
• HTML Over the Wire
• SMTP Smuggling - Spoofing E-Mails Worldwide
• DOM-based race condition: racing in the browser for fun
• Metamask Snaps: Playing in the Sand
• You Are Not Where You Think You Are, Opera Browsers Address Bar Spoofing Vulnerabilities
• CVE-2022-4908: SOP bypass in Chrome using Navigation API
• Code Vulnerabilities Put Proton Mails at Risk

Back to all articles