HTTP/1.1 Must Die! The Desync Endgame

Presented at DEF CON 33 (2025), Aug. 8, 2025, 4:30 p.m. (45 minutes).

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets including tech giants, SaaS providers, and CDNs, with one unplanned collaboration yielding over $100,000 in bug bounties in two weeks. I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that dump server memory heartbleed-style. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me. You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1. References: - [link](https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn) - [link](https://portswigger.net/research/http2) - [link](https://portswigger.net/research/browser-powered-desync-attacks) - [link](https://github.com/narfindustries/http-garden)

Presenters:

• James Kettle / albinowax   as James "albinowax" Kettle
  James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best-known for pioneering novel web attack techniques, and publishing them at major conferences like DEF CON and Black Hat USA, at which he's presented for eight consecutive years. His most impactful research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He also loves exploring innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner. He's also the designer behind many of the topics and labs that make up the Web Security Academy.

Similar Presentations:

• DEF CON 30 (2022) / Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
• DEF CON 29 (2021) / HTTP/2: The Sequel is Always Worse
• DEF CON 29 (2021) / Response Smuggling: Pwning HTTP/1.1 Connections