If you would like to see a preview of @jameskettle.com's Blackhat talk "the HTTP terminator" then check out this interview my colleague @jameswilson.io recorded with him. Some pretty freaky stuff! VIDEO: www.youtube.com/watch?v=GdFG... AUDIO: risky.biz/RBNEWSSI126/

I just did an interview with @mutantzombie.bsky.social with teasers for my upcoming #BHUSA presentation "Can AI Do Novel Vulnerability Research: Meet the HTTP Terminator", plus reflections on the Top Ten Web Hacking Techniques of 2025 & 2026. Watch it here: www.youtube.com/watch?v=fOWh...

We've launched a new free Web Security Academy topic on exploiting AI-powered security scanners! Learn how to use indirect prompt injection to steal data, cause damage & trigger exploit chains! Dive in here: portswigger.net/web-security...

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at Black Hat USA! Check out the abstract: blackhat.com/us-26/briefi...

Just discovered the "Find tag" functionnality of Hackvertor and I already find it very useful 🔥 It can be triggered from Burp's command palette or with the Ctrl-Alt-F keyboard shortcut 🐇

How is every doing? I wouldn't call it comfortable, but I'm starting to savor the experience of rediscovering where the new frontier is, every few weeks. It feels like replaying the early stages of my research career. Looking forward to making my own contribution at #BHUSA!🤞

I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.

Access control bypass via header smuggling, with no desync required! Using header smuggling for more than HTTP desync like this is totally underrated - a lot of defences only filter the CL and TE headers. You can detect these with Parser Discrepancy Scan. www.linkedin.com/posts/jakedm...

New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission. portswigger.net/web-security...

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

Thanks to everyone who nominated & voted in the top ten! The panel of @irsdl.bsky.social , @agarri.fr , @liveoverflow.bsky.social and myself are hard at work reviewing the 15 finalists... we're hoping to announce the winners next week!

We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors! Browse them here: portswigger.net/web-security...

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring! apply.workable.com/portswigger/...

🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg. Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes. Write-up + fix: pentesterlab.com/blog/cve-202...

Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques: portswigger.net/polls/top-10...

Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...

Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.

Turbo Intruder now has API docs! You can easily discover its many advanced features including - pauseMarker for pause-basd desync.. or DoS - decorators for easy response filtering - 'randomPlz' - wordlists.clipboard for lazy attack setup ...and many more! github.com/PortSwigger/...

Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀 thespanner.co.uk/autovader

my new blogpost is out!! this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration and i've already used it to get a google docs bounty ^^ have fun <3 lyra.horse/blog/2025/12...

You can now scan for #react2shell in Burp Suite! To enable, install the Extensibility Helper bapp, go to the bambda tab and search for react2shell. Shout-out to Assetnote for sharing a quality detection technique!

🚀 Shadow Repeater just got a big upgrade! It now detects response timing differences. thespanner.co.uk/shadow-repea...

I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y

We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...

Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again! Context: http1mustdie.com cloud.google.com/support/bull...

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo: youtu.be/BAZ-z2fA8E4

The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!

One hour till HTTP/1.1 Must Die kicks off at #romhack2025! Watch the livestream here: m.youtube.com/watch?v=T009...

I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here: www.youtube.com/watch?v=T009...

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: portswigger.net/research/web...

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF. Find out more here: blog.compass-security.com/2025/09/coll... #AppSec #BurpSuite #Pentesting

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission. portswigger.net/web-security...

When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence. www.youtube.com/live/B7p8dIB...

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...

"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥. If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).

Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!

You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...

Watch HTTP/1.1 Must Die live today at 1630 PST! - In person at #defcon33 track 1, main stage - Livestream via YouTube: www.youtube.com/watch?v=ssln...

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1: - Watch the livestream from #DEFCON at 16:30 PT on the 8th - Read the whitepaper on our website - Grab the HTTP Request Smuggler update & WebSecAcademy lab Follow for updates & links. It's nearly time!

Our core website uses HTTP/2 end to end, but for maximum irony http1mustdie[.]com is stuck using HTTP/1.1 upstream due to AWS CloudFront limitations! However it's in scope for our bounty program... and if you manage to exploit it with HTTP request smuggling, we'll pay a bonus :)