James Kettle


Bio

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for pioneering novel web attack techniques, and publishing them at major conferences like Black Hat USA, at which he's presented for eight consecutive years.

He also loves exploring and advising on innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner.

His best-known research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He's also the designer behind many of the topics and labs that make up the Web Security Academy, and serves on the Black Hat Europe review board.

 

Contact

James Kettle Consulting:

PortSwigger:

X, Bluesky, LinkedIn

Mastodon

Upcoming presentations


Latest published talk: Listen to the whispers: web timing attacks that actually work


Show/Hide past presentations Show/Hide past presentations

Past presentations

  • Black Hat USA 2024 - Listen to the whispers: web timing attacks that actually work
  • DEF CON 32 - Listen to the whispers: web timing attacks that actually work
  • Nullcon Goa - Smashing the state machine: the true potential of web race conditions (updated)
  • DEF CON 31 - Smashing the state machine: the true potential of web race conditions
  • Black Hat USA 2023 - Smashing the state machine: the true potential of web race conditions
  • DEF CON 30 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
  • Black hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
  • NULLCON Berlin 2022 KEYNOTE - Hunting evasive vulnerabilities: finding flaws that others miss
  • BlackHat EU 2021 - HTTP/2: The Sequel is Always Worse (in-person)
  • DEF CON 29 - HTTP/2: The Sequel is Always Worse
  • BlackHat USA 2021 - HTTP/2: The Sequel is Always Worse
  • BlackHat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning
  • BlackHat EU 2019 - HTTP Desync Attacks: Request Smuggling Reborn
  • OWASP Global AppSec - HTTP Desync Attacks: Request Smuggling Reborn
  • DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
  • BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
  • ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
  • BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
  • BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
  • PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
  • NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
  • AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
  • BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
  • 44Con 2015 - Hunting Asynchronous Vulnerabilities
  • BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
  • OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
  • ...and every BSides Manchester 2014-2019

Research Portfolio

HTTP Request Smuggling

Web Cache Poisoning


Tools & automation

Other highlights

How I approach research

Inspiration: gareth, magic mac, lcamtuf, filedescriptor, agarri, fin1te, ezequiel pereira, homakov, irsdl, .mario, insertScript, sirdarckcat, kkotowicz, ush.it, webstersprodigy, kuza55, neal poole and many others.

Misc