"##ing pre - auth arbitrary file deletion via grpc to perform lpe on domain - joined windows machines. exploiting krbjaasfile in databricks jdbc for remote code execution via jndi injection. exploiting a deserialization primitive in gem : : safemarshal via ruby ' s date class to a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
94%
"architectural flaws in apache http server ' s module interactions to achieve insecure path access, predictable handler manipulation, and authentication bypass. exploiteing china ' s dns poisoning for subdomain takeover via fastly or xss via vulnerable cpanel installations. bypass…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
90%
"boundary recognition, and content validation, including duplicated parameters, omission of necessary delimiters, and alternate encoding sequences. bypassing lavamoat ’ s policy file sandboxing through crafted multiline source map comments and evading snowjs realm isolation via th…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
89%
"##be, by manipulating session variables or leveraging deserialization vulnerabilities. cookie tossing to escalate xss vulnerabilities, oauth dirty dancing for session takeover, and leveraging xss for browser permission hijacking and dos through waf frame - up techniques. exploiti…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
83%
"standout web hacking techniques of 2024! this year, we ' ll target the following timeline : - jan 8 - 14 : collect community nominations for the top research from 2024 - jan 15 - 21 : community votes on nominations to build a shortlist of the top 15 - jan 22 : launch panel vote o…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
77%
"you like, and nominate your own work if you think it ' s worthy! please note that i ' ll filter out nominations that are non - web focused, just tools, or not clearly innovative to keep the number of options in the community vote manageable. we don ' t collect email addresses - t…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
71%
"rce. the text does not contain a novel or innovative web hacking technique. unauthorized access to isp - managed tr - 069 apis via authorization bypass, leading to full device takeover. ai fail. ai fail. bypassing. net remoting security by leveraging xaml parsing to perform deser…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1068Exploitation for Privilege Escalation
68%
"feedback channels. bypassing html sanitizers using parsing differentials to exploit mutation - based xss vulnerabilities. accessing other collections via nosql injection in mongodb aggregation pipelines using $ lookup or $ unionwith operators. exploiting sslauncher url handler to…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
57%
"platform for finding novel http request smuggling vectors. using time - based attacks on prisma orm to leak sensitive data by crafting queries that exploit relational filtering to cause significant execution delays. automated high - speed exploitation with php filter chains the _…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059Command and Scripting Interpreter
56%
"discrepancies in mssql to treat a goblin emoji as an empty string, enabling brute - force attacks. developing a universal rce deserialization gadget chain for ruby 3. 4 that leverages rubygems autoloading, uses ' rake ' and ' make ' commands for execution, and suppresses exceptio…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
54%
"discrepancies in mssql to treat a goblin emoji as an empty string, enabling brute - force attacks. developing a universal rce deserialization gadget chain for ruby 3. 4 that leverages rubygems autoloading, uses ' rake ' and ' make ' commands for execution, and suppresses exceptio…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
53%
"fail. multi - sandwich attack exploiting mongodb object id ' s predictable counter to monitor and intercept tokens in real - time. the text does not contain a novel or innovative web hacking technique. the text does not contain a novel or innovative web hacking technique. trickin…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
50%
"top 10 web hacking techniques of 2024 : nominations open research academy my account customers about blog careers legal contact resellers attack surface visibility improve security posture, prioritize manual testing, free up time. ci - driven scanning more proactive security - fi…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
48%
"discrepancies in mssql to treat a goblin emoji as an empty string, enabling brute - force attacks. developing a universal rce deserialization gadget chain for ruby 3. 4 that leverages rubygems autoloading, uses ' rake ' and ' make ' commands for execution, and suppresses exceptio…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
48%
"wednesday, 8 january 2025 at 14 : 07 utc - updated : wednesday, 22 january 2025 at 08 : 54 utc nominations are now open for the top 10 new web hacking techniques of 2024! every year, security researchers from all over the world share their latest findings via blog posts, presenta…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
46%
"escalate xss. path traversal through filename manipulation in file uploads. exploiting discrepancies in javascript number parsers for dos via parameter pollution. ai fail doubleclickjacking is a novel ui redressing technique exploiting timing and event - order quirks in double - …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.007JavaScript
37%
"rce. the text does not contain a novel or innovative web hacking technique. unauthorized access to isp - managed tr - 069 apis via authorization bypass, leading to full device takeover. ai fail. ai fail. bypassing. net remoting security by leveraging xaml parsing to perform deser…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
34%
"headers across services for email spoofing and smtp injection. exploiting service worker registration in jit - installed workers for xss via manipulated payment manifests in chrome. wormable xss on bing using kml file and mixed - case javascript to bypass blacklist. using ssrf to…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Nominations are now open for the top 10 new web hacking techniques of 2024! Every year, security researchers from all over the world share their latest findings via blog posts, presentations, PoCs, an