PortSwigger at Black Hat & DEF CON 33
This summer, PortSwigger returns to Black Hat USA and DEF CON 33 in Las Vegas, bringing a host of new talks, events, and ways to meet PortSwigger and the teams behind Burp Suite. As part of this year's event, PortSwigger has a bold message: despite attempts to mitigate request smuggling attacks, these vulnerabilities persist due to the inherent flaws in the HTTP/1.1 protocol. It's time to acknowledge that request smuggling is an inherent vulnerability in its own right.
At Black Hat and DEF CON 33, PortSwigger's Director of Research, James Kettle (@albinowax), will demonstrate how it was still possible to compromise every single customer of three major CDNs, leaving tens of millions of websites exposed to potentially critical attacks. He'll unveil new classes of desync attacks and a toolkit to help you identify request smuggling vulnerabilities more easily and reliably than ever before.
James has previously earned over $200k in bug bounties in just two weeks using the same techniques and tools he'll be demonstrating at Black Hat and DEF CON 33. Don't miss his talk: "Request Smuggling: The Inevitable Legacy of HTTP/1.1". Whether you still use HTTP/1.1 intentionally or are forced to due to the limitations of your CDN's infrastructure, we want to challenge the industry to sunset this vulnerable, legacy technology.
DEF CON Workshop: Advanced HTTP Smuggling Exploitation
In this session, Martin Doyhenard (@tincho_508) will show you how to dissect HTTP at the stream level, revealing hidden behaviors that traditional tools miss and turning them into powerful exploits. You'll learn how to spot hidden proxies, exploit subtle errors to desynchronize connections, hijack requests, and uncover vulnerabilities that evade traditional tools.
Through real-world case studies, Martin will reveal exactly how you can chain advanced HTTP Desync attacks to secure bounties that others have left behind, transforming complex network architectures into your playground. Don't miss this opportunity to elevate your skills in web security.
Arsenal Tools That Hit Beyond the Application Layer
We're not just bringing research; we're arming you with tools built for modern web security. Martin Doyhenard (@tincho_508) will introduce three new Arsenal tools that will take your web security to the next level:
- HTTP Raider: gives raw stream-level access to see what's really happening across persistent connections, pipelining, and edge infrastructure.
- WebSocket Turbo Intruder: allows you to test WebSockets like never before, revealing vulnerabilities that were previously unknown or inaccessible.
If you care about HTTP smuggling, caching bugs, or infrastructure-level attacks, these tools are a must-have for any web security enthusiast. Don't miss the opportunity to learn more about them at Black Hat and DEF CON 33.
Meet the Researchers. Join the Movement.
We're hosting an informal meetup in Las Vegas (details coming soon) where you can:
- Meet Martin Doyhenard (@tincho_508) and James Kettle (@albinowax)
- Learn about the latest research and tooling from PortSwigger
- Join a community of web security enthusiasts who share your passion for making the web a safer place
To keep up-to-date with all of our plans, let us know via this form. We'll be bringing everything to you via our social media channels, so if you're not attending, you'll still have access to the groundbreaking research and tooling from PortSwigger.
The Top 10 Web Hacking Techniques of 2024 Awards
We're thrilled to recognize the researchers behind the Top 10 Web Hacking Techniques of 2024 with individual awards for each of the top 10 entries. Every year, security researchers from all over the world share their findings. Their research is recognized for not only their individual innovation but for their potential to be re-applied or adapted in new ways, helping to push the boundaries of web security.
This year saw a staggering 121 nominations, with some incredible research and intense competition. We'll host an official awards ceremony, so stay tuned for more updates on this exciting event.