Black Hat USA 2025 | HTTP/1.1 Must Die! The Desync Endgame

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1.1 lives, desync attacks will thrive. In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks. I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers' welcoming arms. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me. You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1. By: James Kettle | Director of Research, PortSwigger Presentation Materials Available at: https://ift.tt/CxqeYvS

source https://www.youtube.com/watch?v=FJbuAyxTTWc