James Kettle / albinowax

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best-known for pioneering novel web attack techniques, and publishing them at major conferences like DEF CON and Black Hat USA, at which he's presented for eight consecutive years. His most impactful research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He also loves exploring innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner. He's also the designer behind many of the topics and labs that make up the Web Security Academy.

• @albinowax
• Dynamic Presentation Playlist

Presentations:

• 2025-08-08 16:30 - DEF CON 33 (2025) - HTTP/1.1 Must Die! The Desync Endgame   as James "albinowax" Kettle
• 2024-08-09 11:30 - DEF CON 32 (2024) - Listen to the whispers: web timing attacks that actually work   as James "albinowax" Kettle
• 2023-08-12 09:00 - DEF CON 31 (2023) - Smashing the state machine: the true potential of web race conditions   as James "albinowax" Kettle
• 2022-08-12 15:30 - DEF CON 30 (2022) - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling   as James Kettle
• 2022-08-10 10:20 - Black Hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling   as James Kettle
• 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021   as James Kettle
• 2021-11-10 10:20 - Black Hat Europe 2021 - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2021-08-06 10:00 - DEF CON 29 (2021) - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2021-08-05 13:30 - Black Hat USA 2021 - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2   as James Kettle
• 2020-08-05 11:00 - Black Hat USA 2020 Virtual - Web Cache Entanglement: Novel Pathways to Poisoning   as James Kettle
• 2019-12-04 14:30 - Black Hat Europe 2019 - HTTP Desync Attacks: Request Smuggling Reborn   as James Kettle
• 2019-08-11 12:00 - DEF CON 27 (2019) - HTTP Desync Attacks: Smashing into the Cell Next Door   as albinowax
• 2019-08-07 13:30 - Black Hat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door   as James Kettle
• 2018-09-27 17:40 - ekoparty 14 (2018) - Practical Web Cache Poisoning: Redefining "Unexploitable"   as James Kettle
• 2018-08-09 15:50 - Black Hat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'   as James Kettle
• 2017-07-26 16:00 - Black Hat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface   as James Kettle
• 2016-11-04 09:30 - Black Hat Europe 2016 - Backslash Powered Scanning: Hunting Unknown Vulnerability Classes   as James Kettle
• 2016-10-14 10:45 - AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties   as James Kettle
• 2015-08-05 10:20 - Black Hat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App   as James Kettle
• ????-??-?? ??:?? - NorthSec 2017 - Backslash Powered Scanning: Implementing Human Intuition   as James Kettle

Copresenters:

• Marina Krotofil
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2
• Daniel Cuthbert
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2
• Meadow Ellis
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
• Thomas Brandstetter
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
• Leigh-Anne Galloway
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2