James Kettle

HTTP/1.1 Must Die Upstream HTTP/1.1 is inherently insecure, and routinely exposes millions of websites to hostile takeover. Join the mission to kill HTTP/1.1 now

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂

Upcoming Conference Talks - PortSwigger Research Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab

Follow for updates & links. It's nearly time!

Haha well race condition detections required laborious manual work too, so both aspects were brutal there!

Yeah detections can get quite addictive, whereas exploits are often hard work.

Our core website uses HTTP/2 end to end, but for maximum irony http1mustdie[.]com is stuck using HTTP/1.1 upstream due to AWS CloudFront limitations! However it's in scope for our bounty program... and if you manage to exploit it with HTTP request smuggling, we'll pay a bonus :)

To try and achieve a desync refer to: portswigger.net/research/mak...

If you're stuck with tunneling, use: portswigger.net/web-security...

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇

You know those non-vulnerabilities that companies get forced to fix for compliance reasons? I've found a full bypass for a common patch strategy. I'm half-tempted to keep it secret for the greater good 😂

With cleats?! Terrible.

<input style=x type="hidden" onsecuritypolicyviolation="alert(1)">

Is your target leaking CSP violations left and right? Mikhail Khramenkov reveals how to hijack the onsecuritypolicyviolation event to trigger JS in hidden inputs - when unsafe-inline is in play and styles are blocked. Now live on our XSS cheat sheet.

portswigger.net/web-security...

I can confirm there will be stickers!

Want to make the most of the upcoming research drop? We've just updated the page with links to essential pre-read/watch resources. Enjoy!

I need details.

Now live on tools.honoki.net/smuggler.html

Let me know what you think! ✨

Yeah it’s hard to make a compelling argument in 300 words without disclosing any details! Happy for everyone to decide if they agree with my conclusion after reading the whitepaper!

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

The phrase just pops into my head wherever someone mentions Roots Manuva

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

Well well well!

Leaking IPs in Brave Tor Window & Chrome VPNs + Popunders + CSP Bypass This writeup details multiple IP leak vulnerabilities I discovered affecting Brave's Tor window and Chrome VPN extensions that allowed a malicious actor to leak the real IP address of any visitor to a...

New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...

Manual testing doesn't have to be repetitive.
Meet Repeater Strike - an AI-powered Burp Suite extension that turns your Repeater traffic into a scan check.

Source code:
github.com/hackvertor/r...

Blog post:
portswigger.net/research/rep...

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

How to make $$$ from request smuggling

Step 1) Pick the right target:

Finding Freedom, One Bug at a Time: My Journey from Pentester to Full-Time Hunter After seven years in pentesting, I transitioned full-time into bug bounty hunting, leveraging deep experience and continuous learning. This article shares key moments and insights from that journey.

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

We found a new vulnerability in TLS. It's a variant of the ALPACA attack that bypasses current countermeasures. Relativly low impact - but great insight! Check it out: opossum-attack.com

It's relevant to request smuggling, but not directly related to my talk.

Nonce CSP bypass using Disk Cache | Jorian Woltjer The solution to my small XSS challenge, explaining a new kind of CSP bypass with browser-cached nonces. Leak it with CSS and learn about Disk Cache to safely update your payload

Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's.

Don't let that HTML-injection of yours wait!
jorianwoltjer.com/blog/p/resea...

Nice one! I've shared it to r/websecurityresearch