PortSwigger's Director of Research, James Kettle presents latest research at Black Hat USA DEF CON 2025
PortSwigger, a renowned application security software provider, is issuing a bold challenge to the web security community: it's time to retire HTTP/1.1 for good. At Black Hat USA and DEF CON, James Kettle, Director of Research at PortSwigger, unveils the fourth wave of his research that takes aim at "HTTP request smuggling," a critical and widespread vulnerability that affects even some of the most mature, security-conscious organizations.
PortSwigger first brought this class of vulnerabilities to prominence in 2019. Now, new research shows that over 22 million websites including major household names have remained susceptible to brand new variants of these attacks. Drawing on six years of research, Kettle is calling on the technology community to recognize that request smuggling is not simply an implementation flaw, but rather an inherent vulnerability in the HTTP/1.1 protocol.
"The time has come to acknowledge that this isn't an issue with individual websites, but a fundamental flaw that's baked into the protocol," said PortSwigger's Director of Research, James Kettle. "Over the last six years, the industry has not properly fixed request smuggling. It's time we recognize that we can't patch our way to a secure HTTP/1.1 the foundation is broken and only safe for the simplest of systems. The only real solution is to cut the problem out at the root by retiring the now decades-old technology that still underpins around 50% of communication between browsers and websites HTTP/1.1."
PortSwigger is supporting Kettle's research with a call to action:
- Groundbreaking new research - James Kettle's 2025 desync paper demonstrates novel vectors never before seen.
- New educational resources - A hands-on Web Security Academy lab teaches the latest request smuggling techniques in a safe environment.
- Enhanced Burp Suite tooling - New versions of HTTP Request Smuggler and the brand-new HTTP Stream Hacker allow researchers to test for these issues both manually and through scalable automation.
PortSwigger stands alone in the cybersecurity industry by offering an unparalleled combination of original research, comprehensive training resources, and deeply integrated testing tools. With Burp Suite Professional and Burp Suite DAST, security professionals are uniquely empowered to detect complex infrastructure-level vulnerabilities, including advanced request smuggling variants that often evade traditional scanning solutions.
Through these innovative offerings, PortSwigger is leading the way toward a safer, more secure web.
Read Kettle's research here: https://portswigger.net/research.
About PortSwigger
PortSwigger is a leading provider of web application security solutions, best known for its industry-leading Burp Suite software. The company is dedicated to equipping security professionals and organizations with the tools and knowledge to stay ahead of evolving cyber threats. Learn more at portswigger.net.
View source version on businesswire.com: https://www.businesswire.com/news/home/20250806802876/en/
Contacts:
andrzej.matykiewicz@portswigger.net
amelia.coen@portswigger.net
