James Kettle / albinowax

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for his HTTP Desync Attacks research, which popularised HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, browser-powered desync attacks, server-side template injection, and password reset poisoning. James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEF CON.

• @albinowax
• Dynamic Presentation Playlist

Presentations:

• 2024-08-09 11:30 - DEF CON 32 (2024) - Listen to the whispers: web timing attacks that actually work   as James "albinowax" Kettle
• 2023-08-12 09:00 - DEF CON 31 (2023) - Smashing the state machine: the true potential of web race conditions   as James "albinowax" Kettle
• 2022-08-12 15:30 - DEF CON 30 (2022) - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling   as James Kettle
• 2022-08-10 10:20 - Black Hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling   as James Kettle
• 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021   as James Kettle
• 2021-11-10 10:20 - Black Hat Europe 2021 - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2021-08-06 10:00 - DEF CON 29 (2021) - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2021-08-05 13:30 - Black Hat USA 2021 - HTTP/2: The Sequel is Always Worse   as James Kettle
• 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2   as James Kettle
• 2020-08-05 11:00 - Black Hat USA 2020 Virtual - Web Cache Entanglement: Novel Pathways to Poisoning   as James Kettle
• 2019-12-04 14:30 - Black Hat Europe 2019 - HTTP Desync Attacks: Request Smuggling Reborn   as James Kettle
• 2019-08-11 12:00 - DEF CON 27 (2019) - HTTP Desync Attacks: Smashing into the Cell Next Door   as albinowax
• 2019-08-07 13:30 - Black Hat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door   as James Kettle
• 2018-09-27 17:40 - ekoparty 14 (2018) - Practical Web Cache Poisoning: Redefining "Unexploitable"   as James Kettle
• 2018-08-09 15:50 - Black Hat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'   as James Kettle
• 2017-07-26 16:00 - Black Hat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface   as James Kettle
• 2016-11-04 09:30 - Black Hat Europe 2016 - Backslash Powered Scanning: Hunting Unknown Vulnerability Classes   as James Kettle
• 2016-10-14 10:45 - AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties   as James Kettle
• 2015-08-05 10:20 - Black Hat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App   as James Kettle
• ????-??-?? ??:?? - NorthSec 2017 - Backslash Powered Scanning: Implementing Human Intuition   as James Kettle

Copresenters:

• Marina Krotofil
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2
• Daniel Cuthbert
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2
• Meadow Ellis
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
• Thomas Brandstetter
  • 2021-11-11 16:20 - Black Hat Europe 2021 - Locknote: Conclusions and Key Takeaways from Black Hat Europe 2021
• Leigh-Anne Galloway
  • 2020-12-10 15:20 - Black Hat Europe 2020 Virtual - Locknote: Conclusions and Key Takeaways from Day 2