Security researchers have been actively sharing their findings with the community for the past year, presenting innovative ideas that hold the potential for further exploration and implementation in the future. However, with the vast amount of information being shared, many valuable techniques tend to get overlooked and forgotten quickly. To combat this issue, a community initiative has been going strong since 2006, where researchers come together yearly to compile two significant resources: a comprehensive list of notable web security research from the past year and a refined list of the top ten most impactful pieces of work.
This year, the community initiative is underway to collect and nominate the top web hacking techniques of 2023. The timeline for this year’s selection process includes collecting community nominations from January 9-21, followed by a community vote to create a shortlist of the top 15 from January 23-30. An expert panel will then vote on the final 15 nominees from February 1-13, with the results set to be announced on February 15.
The aim of the nominations is to showcase research that introduces novel and practical techniques that can be applied across different systems. While individual vulnerabilities like log4shell may be impactful in the moment, they tend to age poorly. On the other hand, underlying techniques such as JNDI Injection can be reused and have a longer-lasting impact. Nominations can also include refinements to existing attack classes, enhancing known techniques for greater effectiveness.
To make a nomination, researchers are encouraged to provide a URL to the research and a brief comment explaining the novelty and significance of the work. Researchers can nominate their own work if they believe it meets the criteria for being noteworthy. The nomination process aims to filter out non-web-focused submissions, tools, or entries that are not clearly innovative to ensure that the community vote remains manageable.
To keep up with the latest updates on the nomination process, researchers are encouraged to follow PortSwigger Research on Twitter or Albinowax on Infosec Exchange for notifications when the voting stage begins. The initiative has already seen a number of nominations, each accompanied by AI-assisted summaries for easier comprehension and evaluation.
The list of nominations covers a diverse range of topics, from vulnerabilities in mutual TLS to exploiting CORS misconfigurations for data exfiltration. It also includes techniques such as manipulating DNS responses for split-second attacks and exploiting OAuth vulnerabilities for account takeovers. Researchers are encouraged to explore these nominations and consider them for the top ten web hacking techniques of 2023.
In conclusion, the annual community initiative for selecting the top web hacking techniques serves as a platform to recognize and celebrate innovative research within the cybersecurity community. By highlighting novel and practical techniques, researchers contribute to the ongoing evolution and advancement of web security practices, ensuring that valuable discoveries do not go unnoticed.