Web accounts

Top 10 Web Hacking Techniques of 2021 – Nominations Open

Update: nominations are now closed, but the vote is live! Vote here.

Nominations are now open for the 10 Best New Web Hacking Techniques of 2021!

Every year, security researchers share their findings through blog posts, presentations, and white papers. Each article is valuable, but some contain something special – innovative ideas and techniques that can be reapplied elsewhere. Since 2006, the security community has come together every year to sift through the year’s results and discover the ten best research works, selected for their innovation and lasting impact. We at PortSwigger Research are proud to once again host this.

If this is your first time encountering this project, you can find the full origin, history and purpose of this project on our dedicated top 10 page, along with an archive of past winners and an explanation of how it differs from related projects like the OWASP Top Ten.


Today: Start collecting community nominations for Best Research starting in 2021.
January 17: Launch the community vote to establish a shortlist of the 15 best.
January 24: Launch the panel vote on the shortlist to select and order the 10 finalists.
February 08: Post the top 10 of 2021!.

What should I designate?

The aim is to highlight research containing new practical techniques that can be reapplied to different systems. Individual vulnerabilities such as log4shell are valuable at the time, but generally age badly, while underlying techniques such as JNDI Injection can be reapplied to great effect. Nominations can also be enhancements to already known attack classes, such as exploiting XXE with local DTDs. For other examples, you might find it useful to look at the top 10 from the previous year.

Make a nomination

To submit, simply provide a URL to the search and an optional brief comment explaining what’s new in the work. Please feel free to nominate as many applications as you like and submit your own research if you think it’s worth it! I will filter out the weakest nominations and merge the overlapping ones to keep the total number manageable.

Click here to make a nomination

We do not collect email addresses – to be notified when the voting stage begins, follow @PortSwiggerRes on Twitter.


Back to all articles