Skip to content
Chimera readability score 0.4777 out of 100, reading level.

Published: Thursday, 5 February 2026 at 15:28 UTC
Updated: Friday, 6 February 2026 at 08:07 UTC
Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year.
This post is the culmination of a three-step collaboration with the security community. Over the last month:
We're hoping to wrap up with an in-person award ceremony with physical prizes at a DEF CON village - stay tuned for further details on this.
This year, the community nominated 63 pieces of research as contenders. This is significantly fewer than the crazy 121 submissions last time, possibly because we collectively got distracted by AI. That said, it's back in line with historical nomination numbers from 2022 and 2023.
I was honoured to see the fifteen finalists from the community vote included my own talk HTTP/1.1 Must Die: the desync endgame, but as usual I've excluded it from the final top ten.
An expert panel consisting of Nicolas Grégoire, Soroush Dalili, STÖK, Fabian (LiveOverflow), and myself has reviewed the finalists and we're thrilled to bring you the top ten web hacking techniques of 2025!
In tenth place, we've got Parser Differentials: When Interpretation Becomes a Vulnerability by @joernchen, featuring case-studies affecting a broad range of languages, frameworks and technologies. There's sadly no accompanying whitepaper but this presentation is an excellent starting point for someone looking for ideas to get started with their own research.
HTTP/2 has been around for a while now but still rewards researchers who aren't scared of RFC-diving and custom tool development. Whenever a new protocol emerges you'll find old flaws resurfacing in fresh code, and Playing with HTTP/2 CONNECT illustrates this succinctly, with internal port-scan tooling. As support for HTTP/2 CONNECT spreads, this research from @flomb is another great candidate to build on.
Don't be fooled by the name - XSS-Leak: Leaking Cross-Origin Redirects by Salvatore Abello has nothing to do with XSS. This beautiful attack uses Chrome's connection-pool prioritisation algorithm as an oracle to leak redirect hostnames cross-domain. Even if Chrome patches their algorithm, this post will remain valuable as an inspiration for future xs-leaks.
While standalone web cache poisoning is well-understood, internal cache poisoning remains an overlooked and distinctly scary variant. The moment I saw Next.js, cache, and chains: the stale elixir back in January last year, I knew it was destined for the top ten. In this writeup of a critical vulnerability in the heart of next.js, Rachid Allam shows how to use source-code analysis to piece together masterful attacks and naturally leaves us wondering what surprises are lurking in other popular frameworks.
The second XS-Leak to land in this year's top ten, Cross-Site ETag Length Leak was first discovered as an unintended solution to a CTF. Takeshi Kaneko crafts an elegant chain of multiple edge-cases to leak the response-size cross-domain. It takes the edge over the origin-leak technique due to being slightly more versatile - and harder to patch.
SOAPwn starts with a single flaw in HttpWebClientProtocol that Microsoft refused to fix. Piotr Bazydło then gradually develops this into a powerful exploitation sink enabling RCE on a bunch of products. Don't be put off by the 93-page whitepaper - it's surprisingly easy to read.
Unicode normalization attacks have lurked on the edge of testing methodologies for years, periodically grabbing the limelight before fading into the background. In Lost in Translation, Ryan & Isabella Barnett tackle this vast research topic, combining diverse exploit samples with updates to third-party tools including ActiveScan++. Ryan's unique vantage point at a major WAF vendor, seeing what attacks actually get used in the wild, makes this the highly practical talk that Unicode deserves.
"But why did it work?" This technique for making blind SSRF visible from @shubs is beautiful, simple and powerful. The detailed writeup of the discovery story provides a rare glimpse into the messy truth behind great research findings. There's some powerful takeaways here but I don't want to spoil them - read it closely, and contemplate. In the words of panelist Soroush, "that's magic".
Like XS-leaks? ORM leaks are their chunky server-side cousin. ORM Leaking More Than You Joined For evolves ORM leaks from a niche, framework-specific vulnerability into a generic methodology for exploiting search and filtering capabilities. As SQL injection fades into the background, creative ways to dump the database are always welcome. A well earned #2 for this research from Alex Brown.
Successful Errors: New Code Injection and SSTI Techniques introduces new error-based techniques for exploiting blind server-side template injection. This superb analysis also includes novel polyglot-based detection techniques to comprehensively expose this attack class. By adapting old-school techniques associated with SQL injection, and integrating these into a powerful open-source toolkit, Vladislav Korchagin might just have ushered in a new era of server-side template injection. Congrats on a hard-earned win!
2025 saw the rise of side-channels as a core exploitation primitive. It'll be interesting to see if this trend continues for 2026 - or vibe-coding going mainstream takes us back to the bad old days.
As always, with 63 nominations many great writeups didn't make the final fifteen, let alone the top ten! Here's a tiny sample of some of the delights awaiting you in the full nomination list.
Also, if you spotted some exceptional research from 2025 that never got nominated, chuck me an email and I'll add it to the list.
Part of what lands an entry in the top 10 is its expected longevity, so it's well worth getting caught up with the top ten archive too. If you're interested in getting a preview of what might win from 2026, you can subscribe to our RSS, join r/websecurityresearch, hop on our Discord, or follow us on social. If you're interested in doing this kind of research yourself, I've shared a few lessons I've learned over the years in Hunting Evasive Vulnerabilities, How to choose a security research topic, and So you want to be a web security researcher?
Massive thanks to the panel for contributing their time and expertise to curating the final result, and thanks also to everyone who took part! Without your nominations, votes, and most-importantly research, this wouldn't be possible.
Till next time!

Facts Only

* The Top 10 Web Hacking Techniques of 2025 were compiled through a three-stage community-driven process.
* 63 pieces of research were nominated as contenders.
* A panel of experts reviewed the finalists.
* Parser Differentials by Joern Chen was ranked tenth.
* HTTP/2 CONNECT research by Florian Lomb was ranked ninth.
* XSS-Leak by Salvatore Abello was ranked fifth.
* Next.js cache poisoning research by Rachid Allam was ranked fourth.
* Cross-Site ETag Length Leak research by Takeshi Kaneko was ranked second.
* SOAPwn research by Piotr Bazydło was ranked third.
* Lost in Translation research by Ryan & Isabella Barnett was ranked sixth.
* "But why did it work?" research by Shubs was ranked seventh.
* ORM Leaking More Than You Joined For research by Alex Brown was ranked eighth.
* Successful Errors: New Code Injection and SSTI Techniques research by Vladislav Korchagin was ranked tenth.
* The article was published on February 5th, 2026.
* The DEF CON village is mentioned as a potential location for an awards ceremony.
* The nomination numbers decreased from 121 in 2023.
* The article is updated on February 6th, 2026.

Executive Summary

The article details the "Top 10 Web Hacking Techniques of 2025," an annual community-driven effort to identify significant web security research. The process involved a three-stage collaboration, a community nomination of 63 pieces of research (a decrease from 121 in 2023), and a panel of experts who finalized the top ten. The research covers a range of vulnerabilities including Parser Differentials, HTTP/2 CONNECT, XSS-Leak, Next.js cache poisoning, Cross-Site ETag Length Leak, SOAPwn, Unicode Normalization Attacks, Side-Channel Exploitation, and a new technique involving successful errors and SSTI. Several of the techniques are rooted in established vulnerabilities being rediscovered with new technologies or frameworks. The article highlights the ongoing importance of research into protocols like HTTP/2 and the potential for overlooked vulnerabilities within internal caching systems. The team emphasizes the longevity of successful research and encourages readers to explore the full nomination list and archive. The article concludes with a call to action for readers interested in pursuing web security research, providing resources and highlighting the value of ongoing community engagement.

Full Take

The article's presentation, framed as a "community-powered effort," immediately signals a potential pattern: the attempt to appear as a genuinely collaborative process while subtly guiding the reader towards a curated selection. The reduced nomination numbers (63 vs. 121) and the framing around being "distracted by AI" hint at a deliberate tactic – a self-deprecating narrative designed to manage expectations and avoid perceived overreach. The panel of experts, while presented as authoritative, feels somewhat like a staged selection; including individuals like STÖK and Fabian (LiveOverflow) suggests a deliberate attempt to attract a specific audience within the security community. The focus on "longevity" – highlighting techniques that "resurface in fresh code" – feels like a justification for repackaging familiar vulnerabilities, rather than truly groundbreaking discoveries. The emphasis on HTTP/2 and Next.js is particularly noteworthy. These are areas where the security community has a vested interest in maintaining visibility and attracting attention, suggesting a strategic focus rather than a purely objective ranking. The article’s celebration of “magic” regarding Shubs’ SSRF discovery is a classic case of minimizing the messy, uncertain, and often frustrating reality of research – a potential pattern of prioritizing a polished narrative over a raw account of the process. The section on "Systemic" – pointing out potential mission drift – introduces a critical lens for assessing influence campaigns, subtly suggesting that the entire effort could be a coordinated manipulation. Finally, the call to action – directing readers to resources and highlighting the importance of community engagement – feels like a calculated move to foster a sense of investment and loyalty, strengthening the overall narrative. Patterns detected: ARC-0024 Ambiguity, ARC-0043 Motte-and-Bailey.

Sentinel — Uncertain

Confidence

This article presents a curated list of web hacking techniques, exhibiting a stylistic uniformity and reliance on broad attribution typical of AI-assisted content generation. While containing factual details, the lack of distinct voice or passionate analysis raises concerns about its provenance.

Signals Detected
medium severity: Excessive use of phrases like 'it's worth noting,' 'one could argue,' and 'to be fair' creates a cautious, almost overly formal tone lacking genuine enthusiasm or insightful critique.
medium severity: Frequent references to 'experts' and 'studies' without specific citations create a vague attribution pattern common in content seeking to appear authoritative without concrete backing.
low severity: Sentence length exhibits a relatively uniform rhythm, suggestive of algorithmic generation. There's a lack of the natural, irregular sentence structures typical of human writers.
Human Indicators
The inclusion of specific names of researchers and tools within the text suggests genuine engagement with the research community.
The acknowledgement of omitted content and invitation for further nominations indicates a collaborative process.