The 18th annual “Top 10 Web Hacking Techniques of 2024” highlighted web security research through community nominations and expert panel voting.
From 121 initial nominations, 103 qualified entries were evaluated, culminating in the selection of the most innovative web security findings.
Confusion Attacks in Apache HTTP Server
Researchers found ways to make the Apache web server interpret requests differently than intended by exploiting ambiguities in how it processes HTTP requests. This could let attackers bypass security controls.
Revealed critical semantic ambiguities in Apache HTTP Server, recognized for exceptional depth and industry wide impact
SQL Injection Protocol Level Smuggling
A new way to perform SQL injection by manipulating how data is transmitted at the protocol level, rather than just the application level. It uses memory manipulation techniques traditionally seen in binary exploitation.
Applied binary memory corruption concepts to web security, demonstrated novel query smuggling techniques
TE.0 HTTP Request Smuggling
Request Smuggling: A technique that exploits how servers handle chunked transfer encoding (TE) headers, allowing attackers to “smuggle” additional HTTP requests through Google Cloud’s infrastructure.
Discovered critical vulnerability affecting Google Cloud websites, advanced understanding of request smuggling attacks
WorstFit: Windows ANSI Transformers
Discovered vulnerabilities in how Windows handles character encoding conversions, which can be exploited to bypass security filters and achieve various attacks.
Exposed charset conversion vulnerabilities, led to multiple CVE discoveries
DOMPurify Library Analysis
Found new ways to bypass DOMPurify (a popular HTML sanitization library) using mutation-based XSS attacks, where seemingly safe HTML can transform into malicious code after processing.
Deep dive into HTML sanitization bypasses, established new mutation XSS primitives
Double Clickjacking
A new user interface attack that tricks users into clicking on hidden elements, bypassing traditional clickjacking protections like frame-busting and same-site cookies.
Introduced UI redressing technique bypassing existing mitigations, demonstrated practical exploitation potential
PDF.js JavaScript Execution
Found a way to execute arbitrary JavaScript through PDF.js (a widely-used PDF viewer), affecting many applications that embed this library.
Revealed critical vulnerability in widely-used PDF library, highlighted overlooked attack surfaces
OAuth Non-Happy Path to ATO
Discovered how to take over accounts by exploiting edge cases in OAuth authentication flows, particularly through manipulation of the referrer header.
Demonstrated creative account takeover via OAuth, built upon previous OAuth exploitation research
Wildcard Web Cache Deception
Used inconsistencies in web cache behavior to trick servers into caching sensitive content, demonstrated by successfully attacking ChatGPT’s infrastructure.
Advanced web cache exploitation techniques, achieved ChatGPT account takeover
OAuth Cookie Tossing
Exploited how browsers handle cookies to hijack OAuth authentication flows, showing that even modern cookie protections can be bypassed in certain scenarios.
Novel application of cookie tossing for OAuth flow hijacking, highlighted persistent cookie security concerns
This year’s research demonstrates significant advancement in web security understanding, particularly in areas of protocol level attacks, parser ambiguities, and authentication bypasses. The findings have broad implications for web application security and will likely influence security practices and research directions throughout 2025.
Source: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
