PortSwigger Reveals Top 10 Web Hacking Techniques of 2025
PortSwigger Research published the 19th annual Top 10 Web Hacking Techniques of 2025, highlighting the most innovative web security research from the past year.
PortSwigger Research has released its 19th annual Top 10 Web Hacking Techniques of 2025, a community-curated list of the most innovative web security research published over the past year. The compilation, announced on February 5, 2026, highlights novel attack techniques, vulnerability classes, and exploitation methods discovered by researchers worldwide. This year's list was shaped through a three-step collaboration: community nominations, community voting to build a shortlist of 15, and an expert panel that selected and ordered the final 10 finalists.
The top spot was awarded to "Successful Errors: New Code Injection and SSTI Techniques" by Vladislav Korchagin. This research introduces new error-based techniques for exploiting blind server-side template injection (SSTI), including novel polyglot-based detection methods. By adapting old-school techniques associated with SQL injection and integrating them into a powerful open-source toolkit, Korchagin's work provides a comprehensive approach to exposing this attack class.
Second place went to "ORM Leaking More Than You Joined For" by Alex Brown, which evolves ORM leaks from a niche, framework-specific vulnerability into a generic methodology for exploiting search and filtering capabilities. As SQL injection fades into the background, this research offers creative ways to dump databases through object-relational mapping flaws.
Third place was awarded to "Novel SSRF Technique Involving HTTP Redirect Loops" by @shubs, described by panelist Soroush Dalili as "magic." The technique makes blind server-side request forgery (SSRF) visible through HTTP redirect loops, with a detailed writeup of the discovery story providing rare insight into the messy truth behind great research findings.
Other notable entries include "Lost in Translation: Exploiting Unicode Normalization" (4th place) by Ryan and Isabella Barnett, which combines diverse exploit samples with updates to third-party tools including ActiveScan++. "SOAPwn: Pwning .NET Framework Apps Through HTTP Client Proxies And WSDL" (5th place) by Piotr Bazydło starts with a single flaw in HttpWebClientProtocol that Microsoft refused to fix, gradually developing it into a powerful exploitation sink enabling RCE on multiple products.
The list also features two XS-Leak techniques: "Cross-Site ETag Length Leak" (6th place) by Takeshi Kaneko, which crafts an elegant chain of multiple edge-cases to leak response-size cross-domain, and "XSS-Leak: Leaking Cross-Origin Redirects" (8th place) by Salvatore Abello, which uses Chrome's connection-pool prioritisation algorithm as an oracle to leak redirect hostnames cross-domain. "Next.js, cache, and chains: the stale elixir" (7th place) by Rachid Allam demonstrates internal cache poisoning in the heart of Next.js, while "Playing with HTTP/2 CONNECT" (9th place) by @flomb illustrates old flaws resurfacing in fresh protocol code. Rounding out the list, "Parser Differentials: When Interpretation Becomes a Vulnerability" (10th place) by @joernchen covers case-studies affecting a broad range of languages, frameworks, and technologies.
This year, the community nominated 63 pieces of research, significantly fewer than the 121 submissions last year, possibly due to collective distraction by AI. The expert panel included Nicolas Grégoire, Soroush Dalili, STÖK, Fabian (LiveOverflow), and PortSwigger's own researcher. An in-person award ceremony with physical prizes is planned at a DEF CON village, with further details to be announced.