James Kettle upcoming talks & research portfolio

I'm the Director of Research at PortSwigger, where I research and publish novel web attack techniques. I also design and refine vulnerability detection techniques for Burp Suite's scanner, and share knowledge via the Web Security Academy. (full bio)

Social: Twitter, Bluesky, Mastodon, LinkedIn, PortSwigger
Contact: xawonibla@gmail.com or elttek.semaj@portswigger.net

Show/Hide past presentations Show/Hide past presentations

Past presentations

Nullcon Goa - Smashing the state machine: the true potential of web race conditions (updated)
DEF CON 31 - Smashing the state machine: the true potential of web race conditions
Black Hat USA 2023 - Smashing the state machine: the true potential of web race conditions
DEF CON 30 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
Black hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
NULLCON Berlin 2022 KEYNOTE - Hunting evasive vulnerabilities: finding flaws that others miss
BlackHat EU 2021 - HTTP/2: The Sequel is Always Worse (in-person)
DEF CON 29 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2021 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning
BlackHat EU 2019 - HTTP Desync Attacks: Request Smuggling Reborn
OWASP Global AppSec - HTTP Desync Attacks: Request Smuggling Reborn
DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
44Con 2015 - Hunting Asynchronous Vulnerabilities
BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
...and every BSides Manchester 2014-2019

James 'albinowax' Kettle

Upcoming presentations

Past presentations

Research Portfolio

HTTP Request Smuggling

Web Cache Poisoning

Tools & automation

Other highlights

How I approach research

Misc