James Kettle
@jameskettle.com
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
August 20, 2025 at 3:02 PM
I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.
Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!
August 10, 2025 at 9:22 PM
Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!
Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
August 8, 2025 at 6:46 PM
Watch HTTP/1.1 Must Die live today at 1630 PST!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: www.youtube.com/watch?v=ssln...
Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂
August 1, 2025 at 1:30 PM
Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂
Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇
July 28, 2025 at 2:28 PM
Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:
July 14, 2025 at 2:51 PM
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:
How to make $$$ from request smuggling
Step 1) Pick the right target:
Step 1) Pick the right target:
July 11, 2025 at 12:15 PM
How to make $$$ from request smuggling
Step 1) Pick the right target:
Step 1) Pick the right target:
Concerned about LLM-powered pentesters stealing your job? We've made improving your workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself:
June 26, 2025 at 1:21 PM
Concerned about LLM-powered pentesters stealing your job? We've made improving your workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself:
The upcoming "HTTP/1 must die" WebSecAcademy lab is no longer impossible! This is good news because I'm planning to attempt to live-stream solving it...
June 20, 2025 at 12:52 PM
The upcoming "HTTP/1 must die" WebSecAcademy lab is no longer impossible! This is good news because I'm planning to attempt to live-stream solving it...
Now I just need to turn my 20gb Burp Suite project file with 73,000 Organizer entries into an enticing slide deck 😂
June 11, 2025 at 1:09 PM
Now I just need to turn my 20gb Burp Suite project file with 73,000 Organizer entries into an enticing slide deck 😂
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!
June 10, 2025 at 2:21 PM
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
May 14, 2025 at 1:31 PM
I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame", at #BHUSA! This is going to be epic, check out the abstract for a teaser ↓
When selecting a research topic, it's crucial to consider where the profit potential comes from. Re-reading this old post, it almost feels like a guide to my latest unannounced research! portswigger.net/research/how...
May 9, 2025 at 1:14 PM
When selecting a research topic, it's crucial to consider where the profit potential comes from. Re-reading this old post, it almost feels like a guide to my latest unannounced research! portswigger.net/research/how...
Quarterly deadlift update time! Since setting the goal last June I’ve gone from 2.3x to 2.7x bodyweight, made harder as I gained 5kg 😂 Final 0.3x will probably be much tougher.
April 26, 2025 at 12:07 PM
Quarterly deadlift update time! Since setting the goal last June I’ve gone from 2.3x to 2.7x bodyweight, made harder as I gained 5kg 😂 Final 0.3x will probably be much tougher.
I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood: gist.github.com/albinowax/10...
For more info check out portswigger.net/research/sma...
For more info check out portswigger.net/research/sma...
April 23, 2025 at 2:31 PM
I just built a custom action to let you test for race conditions with a single click! No tab groups required, and it uses the cutting edge single-packet attack under the hood: gist.github.com/albinowax/10...
For more info check out portswigger.net/research/sma...
For more info check out portswigger.net/research/sma...
Are you a Burp Repeater power user? The latest release introduces a new feature called 'Custom actions'. With these you can quickly build your own repeater features. Here's a few samples I made for you:
April 17, 2025 at 12:48 PM
Are you a Burp Repeater power user? The latest release introduces a new feature called 'Custom actions'. With these you can quickly build your own repeater features. Here's a few samples I made for you:
Are you cooking some quality technical research, and tempted by a trip to Rome in September? Submit it to the RomHack CFP! See you there :)
cfp.romhack.io/romhack-2025...
cfp.romhack.io/romhack-2025...
March 20, 2025 at 10:55 AM
Are you cooking some quality technical research, and tempted by a trip to Rome in September? Submit it to the RomHack CFP! See you there :)
cfp.romhack.io/romhack-2025...
cfp.romhack.io/romhack-2025...
Sadly, my attempt to perform WAF onboarding on the target website failed 😂
March 6, 2025 at 3:22 PM
Sadly, my attempt to perform WAF onboarding on the target website failed 😂
Per popular demand, Turbo Intruder 1.51 now inserts results at the top of the table so you can watch them arrive without scrolling! Let me know how you find it. If you prefer the old behaviour, you can change it back using: table.setSortOrder(0, False)
February 10, 2025 at 11:25 AM
Per popular demand, Turbo Intruder 1.51 now inserts results at the top of the table so you can watch them arrive without scrolling! Let me know how you find it. If you prefer the old behaviour, you can change it back using: table.setSortOrder(0, False)
ICYMI: Burp Intruder 2024.12 EA now has a capture filter! This enables extremely long-running attacks by stopping junk responses from consuming memory. You might recognise this feature from Turbo Intruder :)
January 9, 2025 at 1:48 PM
ICYMI: Burp Intruder 2024.12 EA now has a capture filter! This enables extremely long-running attacks by stopping junk responses from consuming memory. You might recognise this feature from Turbo Intruder :)
I'll be at Black Hat Europe next week - let me know if you'd like to meet up... or just collect one of these highly exclusive desync-themed tshirts #BHEU
December 6, 2024 at 11:18 AM
I'll be at Black Hat Europe next week - let me know if you'd like to meet up... or just collect one of these highly exclusive desync-themed tshirts #BHEU
How's your day going?
November 15, 2024 at 8:53 AM
How's your day going?
You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):
November 8, 2024 at 1:07 PM
You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):