Every year, numerous security researchers choose to share their findings with the community through conference presentations, blog posts, whitepapers, videos, and even simple disclosures. This is great, but the sheer volume and diversity means understated discoveries from aspiring researchers can be overlooked. Even flashy vulnerabilities eventually get eclipsed and forgotten, as people chase after the next shiny logo. While well-established risks are tracked by the OWASP Top Ten and Testing Guide, new threats are easily lost.
Since 2006, Jeremiah Grossman and Matt Johansen have annually collaborated with the infosec community to pick the top 10 web hacking techniques of each year. This has been invaluable in drawing deserved attention to the most exciting and innovative research to have come out of the community.
This collaboration has produced two indispensable resources every year - a refined selection of ten must-read publications relevant to everyone in web security, and a vast list of research for other would-be researchers.
Beginning life on Jeremiah's blog, then moving to WhiteHat's in 2011, this project unfortunately stopped in 2015. However, we believe it's needed now more than ever. In 2017, we at PortSwigger decided to pick up the torch.
Since then, we've teamed up with the community and a cross-company panel of experts to select the year's most innovative, must-read, pieces of research:
We wanted to make sure you could access all of the techniques and research collated during this ongoing project. That's why you can find the older, non-PortSwigger posts here. Where posts have disappeared, we've substituted archive links:
2015, 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006.
Wondering what might land in this year's top 10 web hacking techniques? You can find some promising candidates by following @PortSwiggerRes on Twitter, and in our r/websecurityresearch subreddit.