James Kettle upcoming talks & research portfolio

Bio

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for pioneering novel web attack techniques, and publishing them at major conferences like Black Hat USA, at which he's presented for eight consecutive years.

He also loves exploring and advising on innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner.

His best-known research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He's also the designer behind many of the topics and labs that make up the Web Security Academy, and serves on the Black Hat Europe review board.

Show/Hide past presentations Show/Hide past presentations

Past presentations

Nullcon Goa - Smashing the state machine: the true potential of web race conditions (updated)
DEF CON 31 - Smashing the state machine: the true potential of web race conditions
Black Hat USA 2023 - Smashing the state machine: the true potential of web race conditions
DEF CON 30 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
Black hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
NULLCON Berlin 2022 KEYNOTE - Hunting evasive vulnerabilities: finding flaws that others miss
BlackHat EU 2021 - HTTP/2: The Sequel is Always Worse (in-person)
DEF CON 29 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2021 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning
BlackHat EU 2019 - HTTP Desync Attacks: Request Smuggling Reborn
OWASP Global AppSec - HTTP Desync Attacks: Request Smuggling Reborn
DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
44Con 2015 - Hunting Asynchronous Vulnerabilities
BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
...and every BSides Manchester 2014-2019

James Kettle

Bio

Recent presentations

Past presentations

Research Portfolio

HTTP Request Smuggling

Web Cache Poisoning

Tools & automation

Other highlights

How I approach research

Misc