James Kettle

One option is working for a security software vendor.

Yeah I constrain testing to domains with bug bounties & VDPs, anything beyond that risks legal hassle. bbscope is useful for this.

Nice! Embrace the chaos :)

Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue... Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue inv...

Access control bypass via header smuggling, with no desync required! Using header smuggling for more than HTTP desync like this is totally underrated - a lot of defences only filter the CL and TE headers. You can detect these with Parser Discrepancy Scan.
www.linkedin.com/posts/jakedm...

New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.

portswigger.net/web-security...

Top 10 web hacking techniques of 2025 Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! portswigger.net/research/top...

Thanks to everyone who nominated & voted in the top ten! The panel of @irsdl.bsky.social , @agarri.fr , @liveoverflow.bsky.social and myself are hard at work reviewing the 15 finalists... we're hoping to announce the winners next week!

We've just hit a very important milestone - our XSS Cheat Sheet now has 1337 vectors!

Browse them here: portswigger.net/web-security...

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

apply.workable.com/portswigger/...

CVE-2026-23993: JWT authentication bypass in HarbourJwt via “unknown alg” I didn't know Harbour even existed as a language when I found this bug. The fun part is that I also ...

🔥 CVE-2026-23993: HarbourJwt JWT auth bypass via unknown alg.

Not just alg=none: unsupported alg => empty signature, so forged token header.payload. passes.

Write-up + fix: pentesterlab.com/blog/cve-202...

Top 10 web hacking techniques of 2025 Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.

Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
portswigger.net/polls/top-10...

Top 10 web hacking techniques of 2025: call for nominations Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: portswigger.net/research/top...

nastystereo.com/security/rub...

Bypass CSP in a single click using my new Custom Action, powered by @renniepak.nl's excellent CSP bypass project.

Hope they're useful, feel free to PR or ping me if you encounter any inaccuracies!

Turbo Intruder now has API docs! You can easily discover its many advanced features including
- pauseMarker for pause-basd desync.. or DoS
- decorators for easy response filtering
- 'randomPlz'
- wordlists.clipboard for lazy attack setup
...and many more!
github.com/PortSwigger/...

AutoVader - The Spanner Four years ago we released DOM Invader, I added a feature called callbacks that enabled you to execute JavaScript and log when sinks, messages or sources are found. This was so powerful but over the y...

Meet AutoVader. It automates DOM Invader with Playwright Java and feeds results back into Burp. Faster client side bug hunting for everyone. 🚀

thespanner.co.uk/autovader

my new blogpost is out!!

this one talks about a new web vulnerability class i discovered that allows for complex interactive cross-origin attacks and data exfiltration

and i've already used it to get a google docs bounty ^^

have fun <3

lyra.horse/blog/2025/12...

You can now scan for #react2shell in Burp Suite! To enable, install the Extensibility Helper bapp, go to the bambda tab and search for react2shell. Shout-out to Assetnote for sharing a quality detection technique!

Shadow Repeater v1.2.3 release - The Spanner The new version of Shadow Repeater has been released with a couple of cool new features. Timing differences Shadow Repeater analyses your Repeater requests and looks for response differences but it wa...

🚀 Shadow Repeater just got a big upgrade!
It now detects response timing differences.

thespanner.co.uk/shadow-repea...

Honestly, I was surprised by how good it is 😂

Introducing HTTP Anomaly Rank HTTP Anomaly Rank If you've ever used Burp Intruder or Turbo Intruder, you'll be familiar with the ritual of manually digging through thousands of responses by repeatedly sorting the table via length,

This is super useful for humans and has some powerful potential AI applications too! You can find the full details on how the algorithm works here: portswigger.net/research/int...

HTTP Anomaly Rank - a new Turbo Intruder feature YouTube video by PortSwigger

I've just upgraded Turbo Intruder with a shiny new algorithm called HTTP Anomaly Rank, which automatically finds the most unusual responses in your attack! Here's a quick demo, full details in the writeup below: youtu.be/z92GobdN40Y

We've updated our XSS cheat sheet to include 9 new vectors from @garethheyes.co.uk! Here are the top three, you can find the rest here: portswigger.net/web-security...

Security Bulletins  |  Customer Care  |  Google Cloud

Google Cloud Platform was vulnerable to a HTTP desync attack leading to "responses being misrouted between recipients for certain third-party models". Aka your LLM response goes to someone else. The Expect header strikes again!
Context: http1mustdie.com
cloud.google.com/support/bull...

HTTP is supposed to be stateless... YouTube video by PortSwigger

HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:
youtu.be/BAZ-z2fA8E4

DEF CON 33 - HTTP 1 1 Must Die! The Desync Endgame - James 'albinowax' Kettle YouTube video by DEFCONConference

The official @defcon recording of HTTP/1.1 Must Die has landed - join me on the mission to help kill HTTP/1.1! www.youtube.com/watch?v=PUCy...

Have you done all the Web Security Academy labs? These are key.

RomHack 2025 - James “albinowax” Kettle - HTTP/1.1 Must Die! The Desync Endgame YouTube video by Cyber Saiyan

The recording of "HTTP/1.1 must die: the desync endgame" has now landed on YouTube. Enjoy! www.youtube.com/watch?v=zr5y...

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @blackhatevents.bsky.social