Application Security Weekly Subscribe

Application security, Security Architecture, Bug Bounties

Top 10 Web Hacking Techniques of 2024 – James Kettle – ASW #318

February 18, 2025

Full Audio

View Show Index

Segments

1. Top 10 Web Hacking Techniques of 2024 – James Kettle – ASW #318

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly.

Segment Resources:

Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open
Project overview: https://portswigger.net/research/top-10-web-hacking-techniques

Announcements

Security Weekly listeners save $100 on their RSA Conference 2025 Full Conference Pass! RSA Conference will take place April 28 to May 1 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac25 and use the code 5U5SECWEEKLY! We hope to see you there!

Guest

Director of Research at PortSwigger

James ‘albinowax’ Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He’s best known for pioneering novel web attack techniques, and publishing them at major conferences like Black Hat USA, at which he’s presented for eight consecutive years.

He also loves exploring and advising on innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner.

His best-known research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He’s also the designer behind many of the topics and labs that make up the Web Security Academy, and serves on the Black Hat Europe review board.

Hosts

Tech Lead at Block

Application Security Engineer at Zipline

Related

Application security

Skype Hangs Up, Android Backdoors, Jailbreak Research, Pretend AirTags, Wallbleed – ASW #321

March 11, 2025

Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more!

Application security

CISA’s Secure by Design Principles, Pledge, and Progress – Jack Cable – ASW #321

March 11, 2025

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizi...

Application security

QR Codes Replacing SMS, MS Pulls VSCode Extension, Threat Modeling, Bybit Hack – ASW #320

March 4, 2025

Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more!