James Kettle Research Overview

Upcoming Presentations

None right now, working on something for 2023 :)

Show/Hide past presentations Show/Hide past presentations

Past presentations

DEF CON 30 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
Black hat USA 2022 - Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smugling
NULLCON Berlin 2022 KEYNOTE - Hunting evasive vulnerabilities: finding flaws that others miss
BlackHat EU 2021 - HTTP/2: The Sequel is Always Worse (in-person)
DEF CON 29 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2021 - HTTP/2: The Sequel is Always Worse
BlackHat USA 2020 - Web Cache Entanglement: Novel Pathways to Poisoning
BlackHat EU 2019 - HTTP Desync Attacks: Request Smuggling Reborn
OWASP Global AppSec - HTTP Desync Attacks: Request Smuggling Reborn
DEF CON 27 - HTTP Desync Attacks: Smashing into the Cell Next Door
BlackHat USA 2019 - HTTP Desync Attacks: Smashing into the Cell Next Door
ekoparty 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable' (updated)
BlackHat USA 2018 - Practical Web Cache Poisoning: Redefining 'Unexploitable'
BlackHat USA 2017 - Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
PHDays 7 - Backslash Powered Scanner: Automating Human Intuition
NorthSec 2017 - Backslash Powered Scanner: Automating Human Intuition
AppSec EU 2017 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
AppSec USA 2016 - Exploiting CORS Misconfigurations for Bitcoins and Bounties
BlackHat EU 2016 - Backslash Powered Scanner: Hunting Unknown Vulnerabilities
44Con 2015 - Hunting Asynchronous Vulnerabilities
BlackHat USA 2015 - Server-Side Template Injection: RCE for the Modern Web App
OWASP AppSec EU 2014 - ActiveScan++: Augmenting manual testing with attack proxy plugins
...and BSides Manchester every year since it started in 2014

Attack technique research

Automation research

Thoughts on research

Keynote: Hunting Evasive Vulnerabilities - Finding Flaws that Others Miss
Article: So you want to become a web security researcher?
Interview: Absolute AppSec

Inspiration: gareth, magic mac, lcamtuf, filedescriptor, agarri, fin1te, ezequiel pereira, homakov, irsdl, .mario, insertScript, sirdarckcat, kkotowicz, ush.it, webstersprodigy, kuza55, neal poole and many others.

Misc

2023-02-08 - Top 10 web hacking techniques of 2022
2022-10-19 - HTTP/3 Connection Contamination
2022-09-22 - Making HTTP header injection critical with response queue poisoning
2022-09-06 - How to turn security research into profit
2022-05-15 - Keynote: Hunting Evasive Vulnerabilities - Finding Flaws that Others Miss
2022-02-09 - Top 10 web hacking techniques of 2021
2021-09-21 - Interview on security research with Absolute AppSec
2020-02-17 - Top 10 web hacking techniques of 2020
2020-09-24 - Interview on security research with The InfoSec&OSINT show
2020-06-05 - Non-technical interview on hacking with Easy Prey
2020-05-06 - Interview on security research with NahamSec
2020-02-17 - Top 10 web hacking techniques of 2019
2019-12-09 - Breaking the chains on HTTP Request Smuggler
2019-11-20 - Cracking reCAPTCHA, Turbo Intruder style
2019-10-24 - Responsible denial of service with web cache poisoning
2019-10-03 - HTTP Desync Attacks: what happened next
2019-02-27 - Top 10 Web Hacking Techniques of 2018
2018-10-11 - Top 10 Web Hacking Techniques of 2017
2018-10-05 - Bypassing Web Cache Poisoning Countermeasures
2018-08-13 - Burp Hacks for Bounty Hunters (video)
2018-05-23 - So you want to become a web security researcher?
2018-04-13 - BBC Interview
2018-01-26 - h1-212 Video Interview
2017-11-23 - h1-212 CTF Writeup
2017-11-08 - hackxor2 (web application hacking game)
2017-10-06 - When Security Features Collide
2017-09-05 - Interview with Bug Bounty Forum
2017-08-23 - Adapting Burp Extensions for Bespoke Pentesting
2017-08-21 - How I Accidentally Framed Myself
2017-04-24 - Abusing OWASP with 'Insufficient Attack Protection'
2017-01-18 - Interview with HackerOne about PortSwigger's bug bounty
2016-08-11 - Reviewing bug bounties - a hacker's perspective
2016-05-31 - Web Storage: the lesser evil for session tokens
2016-04-25 - Adapting AngularJS Payloads to Exploit Real World Applications (With Gareth Heyes)
2015-02-17 - Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities (aka RPO)
2012-06-02 - X-Frame-Options Gotcha
2011-12-20 - Phrack ebook
2011-03-25 - hackxor web application hacking game

whoami

I'm the Director of Research at PortSwigger, where I research novel attack techniques, design and refine vulnerability detection techniques for Burp Suite's scanner, and share knowledge via the Web Security Academy.

Show/Hide full bio Show/Hide full bio

James 'albinowax' Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He's best known for his HTTP Desync Attacks research, which popularised HTTP Request Smuggling. James has extensive experience cultivating novel attack techniques, including web cache poisoning, HTTP/2 desync attacks, Server-Side Template Injection, and password reset poisoning.

James is also the author of multiple popular open-source tools including Param Miner, Turbo Intruder, and HTTP Request Smuggler. He is a frequent speaker at numerous prestigious venues including both Black Hat USA and EU, OWASP AppSec USA and EU, and DEFCON.

You can contact me via @albinowax on Twitter, xawonibla@gmail.com or elttek.semaj@portswigger.net