嗯,用户让我帮忙总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。 首先,我得仔细阅读这篇文章。看起来这篇文章是关于网络安全研究的年度回顾和评选。作者提到,过去一年安全研究人员通过博客、演讲和白皮书分享了很多成果,但很多实用的技术可能被埋没,闪光点也可能被忽视。 然后,文章介绍了从2006年开始的年度活动,将大量的研究成果整理成两个资源:一个是精选的年度网络安全部研究列表,另一个是前十名的必读作品。今年的时间表是从1月6日到3月3日,分为提名、投票、评选和公布结果几个阶段。 用户还提到 nomination 的标准是要有创新性和实用性,比如JNDI注入这样的技术可以多次应用。提交提名只需要提供链接和简短评论。 最后,文章鼓励大家参与社区讨论,并提供了联系方式和提交提名的链接。 所以,总结一下:这篇文章主要讲的是网络安全研究的年度评选活动,时间安排、提名标准以及如何参与。重点在于挖掘和推广那些有实用价值的研究成果。 </think> 文章介绍了2025年网络安全研究年度评选活动的时间安排和提名标准。参与者需提交包含创新、实用技术的研究链接及简评,并于1月6日至3月3日完成提名、投票及评选流程。活动旨在挖掘可复用的安全研究成果,并于2月3日公布最终前十名榜单。 2026-1-6 15:32:18 Author: portswigger.net(查看原文) 阅读量:2 收藏
-
Published: 06 January 2026 at 15:31 UTC
-
Updated: 06 January 2026 at 15:31 UTC
Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable techniques can get buried, and even flashy findings eventually get eclipsed as everyone chases the next shiny logo.
Since 2006, the community has come together each year to turn that firehose into two useful resources:
- A lightly curated list of notable web security research from the last year
- A focused top ten of the most valuable, must-read work
If you want to dig through past nominees and winners or learn more about the project history, check out the full project archive. Otherwise, read on to find out how to make your nominations for 2025.
This year, we'll target the following timeline:
Timeline
- Jan 6-13: Collect community nominations for the top research from 2024
- Jan 14-21: Community votes on nominations to build a shortlist of the top 15
- Jan 22: Launch panel vote on shortlist to select and order the 10 finalists
- Feb 03: Publish top 10 web hacking techniques of 2025!
What should I nominate?
The aim is to highlight research containing novel, practical techniques that can be re-applied to different systems. Individual vulnerabilities like log4shell are valuable at the time but typically age poorly, whereas underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be refinements to already-known attack classes, such as Exploiting XXE with Local DTD Files. For further examples, you might find it useful to check out previous year's top 10s.
Making a nomination
To submit, simply provide a URL to the research, and an optional brief comment explaining what's novel about the work. Feel free to make as many nominations as you like, and nominate your own work if you think it's worthy!
Click here to submit a nomination
Please note that I'll filter out nominations that are non-web focused, just tools, or not clearly innovative to keep the number of options in the community vote manageable. We don't collect email addresses - to get notified when the voting stage starts, follow @PortSwiggerRes on X, LinkedIn, or BlueSky.
Join the community
We'd love to hear from you! If you have any questions or you'd like to discuss this year's batch of research, join us in the #research channel on the PortSwigger Discord.
Nominations - last updated 2026-01-06
I've made a few nominations myself to get things started, and I'll update this list with fresh community nominations every few days. I've included AI-assisted summaries of each entry.
Racing Next.js’s response-cache batcher by forcing disparate failing requests to collide on a shared error cache-key, leaking a transient pageProps HTML variant that can then be externally cached for poisoning-to-SXSS despite prior fixes.
Chaining a spoofable framework-internal header with Next.js data-request mechanisms to force-cache SSR JSON as HTML, enabling cache-poisoning DoS and stored XSS via stale-while-revalidate.
Chaining Go’s case-insensitive JSON key matching, last-wins duplicate keys, and XML’s tolerance for leading/trailing garbage to craft cross-format polyglot inputs that different services/parsers interpret differently, enabling authz/authn bypasses.
Leveraging Expect handling quirks and early-response gadgets to turn 0.CL deadlocks into reliable double-desync request smuggling that enables response queue poisoning and cross-tenant cache/content hijacking.
Chaining Chromium HTMLCollection DOM clobbering with a library-driven node-removal gadget to null out an escaping function at runtime, then pivoting into an innerHTML iframe-attribute injection sink to bypass DOMPurify and get XSS.
Cross-protocol application-layer desynchronization by MITM-switching a victim’s implicit TLS connection onto an opportunistic TLS upgrade endpoint to inject pre-handshake messages and permanently misalign request/response streams.
Void Canonicalization: forcing canonicalization to error so signature-digest code treats the signed data as empty, combined with parser namespace/attribute inconsistencies to make signature verification and assertion processing diverge for full SAML auth bypass.
Abusing chunked-body line-terminator ambiguity inside ignored chunk extensions and oversized-chunk spill to create new request-smuggling differentials (including the newly identified EXT.TERM and spill-based variants) without relying on Content-Length vs Transfer-Encoding confusion.
New HTTP request smuggling primitives exploiting chunked parsing discrepancies via two-byte chunk-body terminator overreads and ambiguous trailer-section newline handling (including request merging enabled by early-response gadgets).
Leveraging CSWSH via WebSocket-accessible GraphQL to bypass preflight-gated CSRF protections, plus showing that Private Network Access doesn’t apply to WebSockets so cross-origin WebSockets can still reach private-IP services.
Abusing SVG filter pipelines on cross-origin iframes to read selected pixels and implement logic-gated, multi-step interactive clickjacking with exfiltration via user-scanned QR codes generated entirely inside the filter.
Forcing bfcache to fall back to disk cache to reuse a leaked CSP nonce (via CSS exfiltration) while recaching only the injectable fetched content through cache-key manipulation, enabling nonce-based CSP bypass.
Exploiting redirect-loop status-code variation (cycling uncommon 3xx responses) to trigger an application error state that leaks the full SSRF redirect chain and final 200 response.
Weaponizing Unicode normalization mismatches (virtual confusables/best-fit mappings and truncation/overflow edge cases) to bypass validation and turn benign input into malicious behavior.
Abusing .NET SOAP proxy generation from attacker-supplied WSDL to set a non-HTTP scheme that turns SOAP invocations into arbitrary file writes (and NTLM relay) culminating in webshell/script drop RCE.
Triggering quirks mode via early PHP warnings to relax same-origin stylesheet MIME checks, then using 404-reflected text as a CSS sink plus :valid-based regex matching and frame-counting as a no-request oracle to exfiltrate secrets under CSP.
Abusing Beego’s filter-expression segment-overwrite quirk to smuggle disallowed fields past partial validation, plus Prisma auth bypass via type confusion that coerces user input into operator objects through common request parsers.
如有侵权请联系:admin#unsafe.sh