James 'albinowax' Kettle

I'm the Director of Research at PortSwigger, where I research and publish novel web attack techniques. I also design and refine vulnerability detection techniques for Burp Suite's scanner, and share knowledge via the Web Security Academy. (full bio)

Social: Twitter, Bluesky, Mastodon, LinkedIn, PortSwigger
Contact: or

Smashing the State Machine: The True Potential of Web Race Conditions

Nullcon Goa 2023: September 23-24

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with.

Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. These exploits will be demonstrated across multiple high-profile websites, and a certain popular authentication framework.

These techniques unveil so much fresh attack-surface, it can be hard to know where to focus your testing. To help, I'll share a polished methodology for efficiently pursuing leads, automating complex attacks, and quickly ruling out dead ends. You'll learn to recognize high-risk patterns and eke out subtle tell-tale clues to scent blood long before sacrificing anything to the RNG gods.

To defeat jitter and make these attacks reproducible, I've taken lore amassed over years of research into HTTP Desync Attacks and applied it to develop precision tooling. You'll learn how to adapt your attacks to different HTTP versions and target architectures, abusing protocol-level design decisions and obscure implementation quirks in popular servers. This includes a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release a full complement of free online labs to the Web Security Academy, so you can try out your new skillset immediately.

Latest published talk: Browser-Powered Desync Attacks: A New Frontier in Request Smuggling (recording)

Show/Hide past presentations Show/Hide past presentations

Past presentations

Research Portfolio

HTTP Request Smuggling

Web Cache Poisoning

Tools & automation

Other highlights

Thoughts on research

Inspiration: gareth, magic mac, lcamtuf, filedescriptor, agarri, fin1te, ezequiel pereira, homakov, irsdl, .mario, insertScript, sirdarckcat, kkotowicz, ush.it, webstersprodigy, kuza55, neal poole and many others.