Top 10 web hacking techniques of 2018 - nominations open

[Nytro]

Top 10 web hacking techniques of 2018 - nominations open

James Kettle | 03 January 2019 at 14:43 UTC

 

 

Nominations are now open for the top 10 new web hacking techniques of 2018.

Every year countless security researchers share their findings with the community. Whether they're elegant attack refinements, empirical studies, or entirely new techniques, many of them contain innovative ideas capable of inspiring new discoveries long after publication.

And while some inevitably end up on stage at security conferences, others are easily overlooked amid a sea of overhyped disclosures, and doomed to fade into obscurity.

As such, each year we call upon the community to help us seek out, distil, and preserve the very best new research for future readers.

As with last year, we’ll do this in three phases:

• Jan 1st: Start to collect community nominations
• Jan 21st: Launch community vote to build shortlist of top 15
• Feb 11th: Panel vote on shortlist to select final top 10

 

Last year we decided to prevent conflicts of interest by excluding PortSwigger research, but found the diverse voting panel meant we needed a better system. We eventually settled on disallowing panelists from voting on research they’re affiliated with, and adjusting the final scores to compensate. This approach proved fair and effective, so having checked with the community we'll no longer exclude our own research.

 

To nominate a piece of research, either use this form or reply to this Twitter thread.

 

Feel free to make multiple nominations, and nominate your own research, etc. It doesn't matter whether the submission is a blog post, whitepaper, or presentation recording - just try to submit the best format available. If you want, you can take a look at past years’ top 10 to get an idea for what people feel constitutes great research.

 

You can find previous year's results here:

2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016/17.

Nominations so far

Here are the nominations so far. We're making offline archives of them all as we go, so we can replace any that go missing in future. I'll do a basic quality filter before the community vote starts.

 

• How I exploited ACME TLS-SNI-01 issuing Let’s Encrypt SSL-certs for any domain using shared hosting
• Kicking the Rims - A Guide for Securely Writing and Auditing Chrome Extensions | The Hacker Blog
• EdOverflow | An analysis of logic flaws in web-of-trust services.
• OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
• PowerPoint Presentation - OWASP_AppSec_EU18_WordPress.pdf
• Scratching the surface of host headers in Safari
• RCE by uploading a web.config – 003Random’s Blog
• Security: HTTP Smuggling, Apsis Pound load balancer | RBleug
• Piercing the Veil: Server Side Request Forgery to NIPRNet access
• inputzero: A bug that affects million users - Kaspersky VPN | Dhiraj Mishra
• inputzero: Telegram anonymity fails in desktop - CVE-2018-17780 | Dhiraj Mishra
• inputzero: An untold story of skype by microsoft | Dhiraj Mishra
• Neatly bypassing CSP – Wallarm
• Large-Scale Analysis of Style Injection by Relative Path Overwrite - www2018rpo_paper.pdf
• Beyond XSS: Edge Side Include Injection :: GoSecure
• GitHub - HoLyVieR/prototype-pollution-nsec18: Content released at NorthSec 2018 for my talk on prototype pollution
• Logically Bypassing Browser Security Boundaries - Speaker Deck
• Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out

 

James Kettle

@albinowax

 

Sursa: https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018-nominations-open