- This Week on Absolute AppSec
- Posts
- Episode #271
Episode #271
Top 10 2024 Web Hacking Techniques, Research Techniques, AppSec Careers
Seth Law
January 31, 2025
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) return once again to talk through their plan to take over TikTok and the overall effectiveness and purpose of Portswigger’s Top 10 Web Hacking Techniques and how it benefits the community. To view this episode, go to https://www.youtube.com/watch?v=zxi5-ZXwGts, or find us wherever you get your podcasts.
“It’s … interesting reading, really useful to modify my own techniques on how I’m pen testing or looking in code for specific items. But it’s also now always applicable. I have to take it with a grain of salt of whether or not it’s going to be useful on a day to day basis and how much attention I should pay to some of this.”
PortSwigger’s annual Top 10 Web Hacking Techniques serves as a showcase of the most innovative and impactful research from the past year, inspiring and elevating researchers who contribute novel techniques to the security community. However, the practical relevance of the list is not always on par. In practice, the lists often highlight cutting-edge vulnerabilities but have limited applicability for day-to-day AppSec work. For example, the list often includes highly specific attack scenarios, like vulnerability in Django ORMs or a unique way to exploit PostgreSQL through PGX. While fascinating, these types of attacks might only affect a narrow subset of applications, limiting their immediate utility for penetration testers or developers working on legacy systems. Ken and Seth revisited some of the groundbreaking techniques from past lists, such as James Kettle’s research on HTTP request smuggling, which highlighted the potential for real-world exploitation and the ingenuity behind its discovery. They acknowledged that techniques like this are invaluable for raising awareness about new attack vectors. However, much of the list, as Seth put it, feels more like a “back pocket resource” — something to file away for inspiration rather than a daily necessity. They also touched on the value of PortSwigger’s contributions beyond the list, such as their now-discontinued blog, which the hosts deeply missed. The blog served as a more consistent and grounded resource for practical insights, whereas the Top 10 list often feels more like a collection of fascinating but niche problems. Ultimately, while the list is an exciting way to celebrate the creativity of security researchers, its real-world impact depends on how effectively organizations and practitioners can translate these insights into actionable improvements.
“There’s ways to go about your research that don’t necessarily expose secrets, right? [Or] Expose targets to additional risk. Because, in this case, it worked out that there was no sensitive data that was disclosed. […] They could have put more thinking into what the payload actually looks like.”
The conversation then shifted to a contentious topic in the security community the ethics of publishing potentially harmful code as part of research. Snyk, a prominent security company, recently came under fire for uploading malicious NPM packages designed to extract environment variables and transmit them to an external server. While Snyk framed this as a research exercise to highlight supply chain risks, the backlash was swift and polarizing. The issue went beyond just the act of publishing the packing, into the broader impacts for the security community. By intentionally creating packages that could extract sensitive data, Snyk had forced organizations to respond as though they were dealing with an active breach. This crossed the line from research into irresponsibility, as Snyk overlooked the importance to minimize harm in order to highlight vulnerabilities. This incident reflects a larger problem in the industry: the reliance on exploitation as proof of vulnerability. Seth points out that many organizations and researchers feel compelled to demonstrate an exploit’s full potential before it’s taken seriously. However, this often creates unnecessary risks, as in Snyk’s case, where developers unknowingly installed malicious packages. Seth imagined the potential fallout: developers scrambling to revoke credentials, update secrets, and rebuild trust—all for an exercise that could have been conducted more responsibly. Both hosts agreed that while research like this is essential, it should never be done at the expense of the very people the security community is meant to protect. There is a fine line that researchers must walk between innovation and ethical responsibility.
As the end of the episode, Seth reflected on a recurring theme in his work: the need to shift focus from exploitability to addressing root causes. In many cases, the industry places too much emphasis on demonstrating full-fledged exploits to prove the existence of vulnerabilities. This can create unnecessary delays in addressing issues that are clearly problematic, even without proof of exploitation. For example, in approaching common vulnerabilities like cross-site scripting, it’s possible to exploit improperly encoded content to execute malicious scripts, but the real issue lies in the lack of encoding itself. Developers don’t need to wait for a full XSS demonstration to know they should be fixing encoding problems. Similarly, unescaped input in SQL queries is a clear indicator of potential SQL injection, even if no exploit has yet been crafted. Teams should prioritize fixing these root issues before they become exploitable, rather than waiting for a researchers or pen tester to prove they can be weaponized. Application security isn’t just about finding exploits—it’s about building resilience.
This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.
Hey you! Yes, you! It’s time to support the podcast by repping a t-shirt or two. Visit the merch store to pick your desired color. Or just join Seth and Ken in Slack.
Stay Secure,
Seth & Ken
https://youtube.com/live/Ggig1p21XuM - Episode #235 - 2023 Top 10 Web Hacking Techniques, LLM Agent Hacking - Ken and Seth take some time to digest the 2023 list and recommend reviewing not only the top 10, but also the nominations. A discussion on the use of LLM Agents as a dynamic scanning engine for identifying vulnerabilities.
https://youtu.be/fnm3mz01kFQ - Episode #165 - Portswigger 2021 Top 10, Supply Chain Attacks, TLS Certs - In this episode, Seth and Ken review Portswigger's Top 10 list of the "most significant web security research released in the last year". Discussion of weak links in the NPM supply chain and what developers can look at to ascertain the security of packages they depend on.
https://youtu.be/khs2aRXeekU - Episode #124 - 2020 Top 10 Web Hacking Techniques, Development vs. Security - Seth and Ken discuss Portswigger's Top 10 Web Hacking Techniques of 2020, specifically injection attacks through images in PDFs and reverse proxies. Further discussion on creativity in development and how that affects and limits security.
Absolute AppSec Happenings
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak - When you get popular quickly, misconfigured and insecure application and services can bite you hard. Wiz Research found that the DeepSeek team had some open databases that included a ton of data used to train the model. Stay vigilant, friends. Could happen to any of us.
https://www.assetnote.io/resources/blog/searchlight-cyber-acquires-assetnote-to-enhance-continuous-threat-exposure-management - We keep hearing that 2025 will be the year of mergers and acquisitions. Keeping to this theme, AssetNote was acquired by Searchlight Cyber. Consolidation will continue to happen, let’s hope that innovation keeps pace and doesn’t stagnate.
https://github.com/opengrep/opengrep - Well then, with all the controversy and accusations flying around, may as well read up and see if Opengrep is here to stay. The opensource/community version of Semgrep was officially forked by a number of vendors after Semgrep changed licenses.
Upcoming Events
Where in the world are Seth and Ken?
February 14-15, 2025 - CactusCon, Mesa, AZ - Ken is speaking, Seth will make an appearance for drinks, discussions, and some Crocs & Socks.
February 20-21, 2025 - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.
March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.
March ??, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).
June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.