I thought I should document this whilst we are still in 2018…
We used to have Top 10 Web Hacking Techniques every year but it suddenly stopped! After having a private conversation with James Kettle in Twitter, he decided to stand up for this and PortSwigger (the company behind Burp Suite) kindly supported it. The full story can be read here: Top 10 Web Hacking Techniques of 2017 – Nominations Open
I was lucky enough to be on the voting panel despite having a nomination (I couldn’t vote for myself obviously). In the end, I felt honoured that my request encoding technique to bypass WAFs came in the Top 10 2017 (#8 to be exact). There were seriously good research works and I recommend you to check them out: Top 10 Web Hacking Techniques of 2017
I have always tried to share with the AppSec community as that also enable me to learn more by reading other people’s work or research. The last time I was on the Top 10 was 2009 for the IIS semicolon bug (remember file.asp;.txt bypass technique on IIS6?) so good to be back (#6):Â Top Ten Web Hacking Techniques of 2009 (Official)Â
Although there has always been discussions on the type of submissions such as techniques vs one time vulnerabilities as well as voting patterns, having a list of web related submissions is always useful and we now have it for 2017!