James Kettle
@jameskettle.com
Pinned
James Kettle
@jameskettle.com
· Jul 18
James Kettle research portfolio
jameskettle.com
Hi all! I'll be posting about web security research. You can find a curated list of my past research, tools & presentations at https://jameskettle.com/
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
HTTP Anomaly Rank - a new Turbo Intruder feature
YouTube video by PortSwigger
youtu.be
November 11, 2025 at 2:49 PM
I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y
Reposted by James Kettle
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
November 10, 2025 at 2:49 PM
We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...
Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...
Context: http1mustdie.com
cloud.google.com/support/bull...
Security Bulletins | Customer Care | Google Cloud
cloud.google.com
October 24, 2025 at 1:11 PM
Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...
Context: http1mustdie.com
cloud.google.com/support/bull...
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
HTTP is supposed to be stateless...
YouTube video by PortSwigger
youtu.be
October 22, 2025 at 2:06 PM
HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4
youtu.be/BAZ-z2fA8E4
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle
YouTube video by DEFCONConference
www.youtube.com
October 17, 2025 at 10:20 AM
The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame
YouTube video by Cyber Saiyan
www.youtube.com
October 8, 2025 at 2:16 PM
The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...
Reposted by James Kettle
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
October 7, 2025 at 2:55 PM
I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social
It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!
September 28, 2025 at 8:08 PM
It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!
One hour till HTTP/1.1 Must Die kicks off at #romhack2025!
Watch the livestream here: m.youtube.com/watch?v=T009...
Watch the livestream here: m.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
m.youtube.com
September 27, 2025 at 7:20 AM
One hour till HTTP/1.1 Must Die kicks off at #romhack2025!
Watch the livestream here: m.youtube.com/watch?v=T009...
Watch the livestream here: m.youtube.com/watch?v=T009...
I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.
September 25, 2025 at 1:36 PM
I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.
HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...
www.youtube.com/watch?v=T009...
RomHack Conference 2025 Live Stream
YouTube video by Cyber Saiyan
www.youtube.com
September 18, 2025 at 1:40 PM
HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...
www.youtube.com/watch?v=T009...
Reposted by James Kettle
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...
WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine
Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi
portswigger.net
September 17, 2025 at 12:44 PM
Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...
The blog post is live! Read it here:
portswigger.net/research/web...
Reposted by James Kettle
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
September 9, 2025 at 11:54 AM
We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Find out more here: blog.compass-security.com/2025/09/coll...
#AppSec #BurpSuite #Pentesting
Reposted by James Kettle
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Cookie Chaos: How to bypass __Host and __Secure cookie prefixes
Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve
portswigger.net
September 3, 2025 at 2:54 PM
We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...
Reposted by James Kettle
Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission.
portswigger.net/web-security...
portswigger.net/web-security...
August 28, 2025 at 1:18 PM
Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission.
portswigger.net/web-security...
portswigger.net/web-security...
When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence.
www.youtube.com/live/B7p8dIB...
www.youtube.com/live/B7p8dIB...
Novel HTTP/1 Request Smuggling/Desync Attacks with James Kettle
YouTube video by Off By One Security
www.youtube.com
August 21, 2025 at 2:43 PM
When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence.
www.youtube.com/live/B7p8dIB...
www.youtube.com/live/B7p8dIB...
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
August 20, 2025 at 3:02 PM
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...
Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling
Sometimes people think they've found HTTP request smuggling, when they're actually just observing HTTP keep-alive or pipelining. This is usually a false positive, but sometimes there's actually a real
portswigger.net
August 19, 2025 at 2:35 PM
Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...
Reposted by James Kettle
"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥.
If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).
If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).
August 13, 2025 at 7:25 AM
"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥.
If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).
If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).
Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!
August 10, 2025 at 9:22 PM
Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!
You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...
DEFCON 33: Track 1 Talks
YouTube video by DEFCONConference
m.youtube.com
August 9, 2025 at 1:34 PM
You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...
Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
August 8, 2025 at 6:46 PM
Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
HTTP/1.1 Must Die
Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now
http1mustdie.com
August 6, 2025 at 11:43 PM
The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com
Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂
August 1, 2025 at 1:30 PM
Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂