Lightnews — Scholar-powered news

James Kettle

@jameskettle.com

4.3K followers 130 following 220 posts

Director of Research at @portswigger.net Also known as albinowax Portfolio: https://jameskettle.com/

jameskettle.com

Posts Media Videos Starter Packs

Pinned

James Kettle @jameskettle.com · Jul 18

Hi all! I'll be posting about web security research. You can find a curated list of my past research, tools & presentations at https://jameskettle.com/

James Kettle research portfolio

jameskettle.com

1 26

James Kettle @jameskettle.com · 5d

Have you done all the Web Security Academy labs? These are key.

James Kettle @jameskettle.com · 8d

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame

YouTube video by Cyber Saiyan

www.youtube.com

1 3 15

Reposted by James Kettle

d4d @zakfedotkin.bsky.social · 9d

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

6 26

James Kettle @jameskettle.com · 14d

This might be because there are separate connection pools for with-cookies and without to prevent fingerprinting. It's detailed briefly here: portswigger.net/research/bro...

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessib

portswigger.net

James Kettle @jameskettle.com · 18d

It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!

1 12

James Kettle @jameskettle.com · 19d

One hour till HTTP/1.1 Must Die kicks off at #romhack2025!

Watch the livestream here: m.youtube.com/watch?v=T009...

RomHack Conference 2025 Live Stream

YouTube video by Cyber Saiyan

m.youtube.com

2 13

James Kettle @jameskettle.com · 21d

I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.

James Kettle @jameskettle.com · 28d

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here:
www.youtube.com/watch?v=T009...

RomHack Conference 2025 Live Stream

YouTube video by Cyber Saiyan

www.youtube.com

4 9

Reposted by James Kettle

d4d @zakfedotkin.bsky.social · 29d

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster.
The blog post is live! Read it here:
portswigger.net/research/web...

WebSocket Turbo Intruder: Unearthing the WebSocket Goldmine

Many testers and tools give up the moment a protocol upgrade to WebSocket occurs, or only perform shallow analysis. This is a huge blind spot, leaving many bugs like Broken Access Controls, Race condi

portswigger.net

6 13

Reposted by James Kettle

Compass Security @compass-security.com · Sep 9

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.

Find out more here: blog.compass-security.com/2025/09/coll...

#AppSec #BurpSuite #Pentesting

6 8

Reposted by James Kettle

d4d @zakfedotkin.bsky.social · Sep 3

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Cookie Chaos: How to bypass __Host and __Secure cookie prefixes

Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and serve

portswigger.net

1 14 13

Reposted by James Kettle

Gareth Heyes @garethheyes.co.uk · Aug 28

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission.

portswigger.net/web-security...

<script>eval(myUndefVar);var inject="INJECTION_STARTS_HERE";var myUndefVar;alert(1);//";</script>

2 6 15

James Kettle @jameskettle.com · Aug 21

When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence.
www.youtube.com/live/B7p8dIB...

Novel HTTP/1 Request Smuggling/Desync Attacks with James Kettle

YouTube video by Off By One Security

www.youtube.com

4 12

James Kettle @jameskettle.com · Aug 20

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

1 5 14

James Kettle @jameskettle.com · Aug 19

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...

Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling

Sometimes people think they've found HTTP request smuggling, when they're actually just observing HTTP keep-alive or pipelining. This is usually a false positive, but sometimes there's actually a real

portswigger.net

6 13

Reposted by James Kettle

Thomas Stacey @t0xodile.com · Aug 13

"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥.

If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).

1 4

James Kettle @jameskettle.com · Aug 10

Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!

James Kettle @jameskettle.com · Aug 9

You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...

DEFCON 33: Track 1 Talks

YouTube video by DEFCONConference

m.youtube.com

4 11

James Kettle @jameskettle.com · Aug 8

*1630 PT

James Kettle @jameskettle.com · Aug 8

Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...

2 2 7

James Kettle @jameskettle.com · Aug 6

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

HTTP/1.1 Must Die

Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now

http1mustdie.com

22 40

James Kettle @jameskettle.com · Aug 6

At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

1 8

James Kettle @jameskettle.com · Aug 1

Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂

1 11

James Kettle @jameskettle.com · Jul 30

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab

Follow for updates & links. It's nearly time!

Upcoming Conference Talks - PortSwigger Research

Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.

portswigger.net

2 12

James Kettle @jameskettle.com · Jul 30

Haha well race condition detections required laborious manual work too, so both aspects were brutal there!