James Kettle

@[email protected]
3.9K Followers
26 Following
300 Posts
Director of Research at PortSwigger aka
Burp Suite
Homepagehttps://jameskettle.com/
Twitterhttps://twitter.com/albinowax
LinkedInhttps://www.linkedin.com/in/james-kettle-albinowax/
PortSwiggerhttps://portswigger.net/research
Show threadJames KettleJun 9
@defcon The abstract isn't live on the site yet but I put it here: https://jameskettle.com/
James Kettle upcoming talks & research portfolio

James KettleJun 9
Woo, I can confirm "Can AI Do Novel Security Research? Meet the HTTP Terminator" is coming to @defcon! This research was a huge gamble and the result was glorious, can't wait to share!
James KettleApr 28
I just did an interview with Application Security Weekly with teasers for my upcoming #BHUSA presentation "Can AI Do Novel Vulnerability Research: Meet the HTTP Terminator", plus reflections on the Top Ten Web Hacking Techniques of 2025 & 2026. Watch it here:
https://www.youtube.com/watch?v=fOWhhTrGtoI
Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 - James Kettle - ASW #380

YouTube
James KettleApr 27

We've launched a new free Web Security Academy topic on exploiting AI-powered security scanners! Learn how to use indirect prompt injection to steal data, cause damage & trigger exploit chains!

Dive in here: https://portswigger.net/web-security/llm-attacks/ai-powered-scanner-vulnerabilities

James KettleApr 14
I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at Black Hat USA! Check out the abstract:
https://blackhat.com/us-26/briefings/schedule/?#can-ai-do-novel-security-research-meet-the-http-terminator-51894
James KettleApr 8
How is every doing? I wouldn't call it comfortable, but I'm starting to savor the experience of rediscovering where the new frontier is, every few weeks. It feels like replaying the early stages of my research career. Looking forward to making my own contribution at #BHUSA!🤞
James KettleMar 18
I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.
James KettleMar 2
Jeff MossMar 2

RIP FX - You are a legend.

Here Dino is delivering his Pwnie Award, as well as the last public post FX made last year.

James KettleFeb 25
Access control bypass via header smuggling, with no desync required! Using header smuggling for more than HTTP desync like this is totally underrated - a lot of defences only filter the CL and TE headers. You can detect these with Parser Discrepancy Scan.
https://www.linkedin.com/posts/jakedmurphy1_excited-to-share-that-i-recently-identified-activity-7431735557115789313-xhnA/
Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue… | Jake M. | 13 comments

Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue involved a subtle edge case in HTTP request handling: improper processing of custom hop-by-hop headers. By specifying Transfer-Encoding as a hop-by-hop header via the Connection header, it was possible to trigger inconsistent request framing at the edge, creating a potential HTTP request smuggling vector depending on internal processing paths and origin server behavior. Huge credit to Akamai's security team for their responsiveness and thorough handling of the report. Also shoutout to James Kettle for his amazing research on request smuggling! | 13 comments on LinkedIn

James KettleFeb 10
Gareth Heyes Feb 10

New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#onpromptaction