🚀 Shadow Repeater just got a big upgrade! It now detects response timing differences. thespanner.co.uk/shadow-repea...

I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y

We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...

Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again! Context: http1mustdie.com cloud.google.com/support/bull...

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo: youtu.be/BAZ-z2fA8E4

The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social

It was an absolute privilege to present at #RomHack2025 with such a vibrant and welcoming community! Thanks to everyone who said hi and shared your stories!

One hour till HTTP/1.1 Must Die kicks off at #romhack2025! Watch the livestream here: m.youtube.com/watch?v=T009...

I'm flying out to #romhack2025 tomorrow, for the final edition of HTTP/1.1 Must Die! Feel free to say hi if you'd like to chat.

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here: www.youtube.com/watch?v=T009...

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: portswigger.net/research/web...

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF. Find out more here: blog.compass-security.com/2025/09/coll... #AppSec #BurpSuite #Pentesting

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings: portswigger.net/research/coo...

Imagine you have a XSS vulnerability but you have a undefined variable before your injection. Is all hope lost? Not at all you can use a technique called XSS Hoisting to declare the variable and continue your exploit. Thanks to ycam_asafety for the submission. portswigger.net/web-security...

When I condense nine months of research discoveries into a 40-min talk, it can make it seem easy. For a taster of the true experience, watch my battle to solve the 0-CL @WebSecAcademy lab! Research is persistence. www.youtube.com/live/B7p8dIB...

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" portswigger.net/research/how...

"This strategy creates an avalanche of desync research leads" is somehow an understatement. Take Smuggler for a spin on your largest burp file right now and just watch the issue counter 🔥. If you want even more results, adding new headers / perms looks to be trivial (it's one line of code).

Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & DEF CON! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!

You can currently watch http/1.1 must die here! Note the link will expire at some point. m.youtube.com/watch?v=ssln...

Watch HTTP/1.1 Must Die live today at 1630 PST! - In person at #defcon33 track 1, main stage - Livestream via YouTube: www.youtube.com/watch?v=ssln...

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1: - Watch the livestream from #DEFCON at 16:30 PT on the 8th - Read the whitepaper on our website - Grab the HTTP Request Smuggler update & WebSecAcademy lab Follow for updates & links. It's nearly time!

Our core website uses HTTP/2 end to end, but for maximum irony http1mustdie[.]com is stuck using HTTP/1.1 upstream due to AWS CloudFront limitations! However it's in scope for our bounty program... and if you manage to exploit it with HTTP request smuggling, we'll pay a bonus :)

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇

You know those non-vulnerabilities that companies get forced to fix for compliance reasons? I've found a full bypass for a common patch strategy. I'm half-tempted to keep it secret for the greater good 😂

Is your target leaking CSP violations left and right? Mikhail Khramenkov reveals how to hijack the onsecuritypolicyviolation event to trigger JS in hidden inputs - when unsafe-inline is in play and styles are blocked. Now live on our XSS cheat sheet. portswigger.net/web-security...

Now live on tools.honoki.net/smuggler.html Let me know what you think! ✨

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

New blog post is up: How I leaked the IP addresses of Brave's Tor window and Chrome VPN extension users--plus, a new Popunder technique and connect-src CSP directive bypass. Read more @ 0x999.net/blog/leaking...

Manual testing doesn't have to be repetitive. Meet Repeater Strike - an AI-powered Burp Suite extension that turns your Repeater traffic into a scan check. Source code: github.com/hackvertor/r... Blog post: portswigger.net/research/rep...

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

How to make $$$ from request smuggling Step 1) Pick the right target:

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

We found a new vulnerability in TLS. It's a variant of the ALPACA attack that bypasses current countermeasures. Relativly low impact - but great insight! Check it out: opossum-attack.com

Here's my writeup the technique allowing some nonce-based CSPs to be bypassed. I think it definitely has some practical use, so included some details about different scenario's. Don't let that HTML-injection of yours wait! jorianwoltjer.com/blog/p/resea...

Interested in pushing hacking techniques beyond the state of the art, or breaking into full-time security research? I recently had a great chat with Tib3rius on the topic! Watch it here: www.youtube.com/watch?v=S64E...

This talk will mark a personal milestone - my tenth presentation at Black Hat USA! Feels lke yesterday I stepped on stage to present Server-Side Template Injection and introduced the now-endemic {{7*7}}. Never thought I'd make it this far, let's see what the next ten years hold!

Thrilled to announce: I’ll be presenting a major new version of WebSocket Turbo Intruder at Black Hat Arsenal 2025! This open-source toolkit makes high-speed, advanced WebSocket attacks practical and painless.

Concerned about LLM-powered pentesters stealing your job? We've made improving your workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself:

The upcoming "HTTP/1 must die" WebSecAcademy lab is no longer impossible! This is good news because I'm planning to attempt to live-stream solving it...

Now I just need to turn my 20gb Burp Suite project file with 73,000 Organizer entries into an enticing slide deck 😂

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

The Scalpel extension is magic 🪄 Especially if you're a big fan of executing both python3 and vim within Burp Suite 🛠️ blog.lexfo.fr/scalpel.html

Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me. Link to vectors👇 portswigger.net/web-security...