James Kettle

@[email protected]
3.9K Followers
26 Following
294 Posts
Director of Research at PortSwigger aka
Burp Suite
Homepagehttps://jameskettle.com/
Twitterhttps://twitter.com/albinowax
LinkedInhttps://www.linkedin.com/in/james-kettle-albinowax/
PortSwiggerhttps://portswigger.net/research
James KettleMar 18
I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.
James KettleMar 2
Jeff MossMar 2

RIP FX - You are a legend.

Here Dino is delivering his Pwnie Award, as well as the last public post FX made last year.

James KettleFeb 25
Access control bypass via header smuggling, with no desync required! Using header smuggling for more than HTTP desync like this is totally underrated - a lot of defences only filter the CL and TE headers. You can detect these with Parser Discrepancy Scan.
https://www.linkedin.com/posts/jakedmurphy1_excited-to-share-that-i-recently-identified-activity-7431735557115789313-xhnA/
Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue… | Jake M. | 13 comments

Excited to share that I recently identified and responsibly disclosed a security vulnerability in Akamai's edge servers, which has now been fully remediated and assigned CVE-2026-26365! The issue involved a subtle edge case in HTTP request handling: improper processing of custom hop-by-hop headers. By specifying Transfer-Encoding as a hop-by-hop header via the Connection header, it was possible to trigger inconsistent request framing at the edge, creating a potential HTTP request smuggling vector depending on internal processing paths and origin server behavior. Huge credit to Akamai's security team for their responsiveness and thorough handling of the report. Also shoutout to James Kettle for his amazing research on request smuggling! | 13 comments on LinkedIn

James KettleFeb 10
Gareth Heyes Feb 10

New geolocation-based XSS vectors just landed in our XSS cheat sheet. Huge thanks to AmirMohammad Safari for the great submission.

https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#onpromptaction

James KettleFeb 5
The voting has concluded, and we're thrilled to announce the top ten web hacking techniques of 2025! Massive thanks to everyone in the community for sharing their hard-earned discoveries, plus the panel and everyone who nominated or voted! https://portswigger.net/research/top-10-web-hacking-techniques-of-2025
Top 10 web hacking techniques of 2025

Welcome to the Top 10 Web Hacking Techniques of 2025, the 19th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year

PortSwigger Research
James KettleJan 30
Otmar LendlJan 30

The report from CERT.PL covering the attacks on the Polish energy system is finally available:

https://cert.pl/en/posts/2026/01/incident-report-energy-sector-2025/

Energy Sector Incident Report - 29 December 2025

CERT Polska presents a report on the analysis of an incident in the energy sector that occurred on 29 December 2025. The attacks were destructive in nature and targeted wind and photovoltaic farms, a large combined heat and power plant, and a company from the manufacturing sector. The publication aims to raise awareness of the risks associated with sabotage in cyberspace.

James KettleJan 23

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

James KettleJan 15
Voting is now live for the top ten web hacking techniques of 2025! Grab a brew, browse the 61 quality nominations and cast your vote on the most creative and ground-breaking techniques:
https://portswigger.net/polls/top-10-web-hacking-techniques-2025
Top 10 web hacking techniques of 2025

Welcome to the community vote for the Top 10 Web Hacking Techniques of 2025.

James KettleJan 9
buheratorJan 9
[RSS] The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)

https://horizon3.ai/attack-research/attack-blogs/the-ni8mare-test-n8n-rce-under-the-microscope-cve-2026-21858/
The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)

A practical analysis of the Ni8mare n8n vulnerability (CVE-2026-21858), examining real-world exploitability, prerequisites, and why the actual risk is lower than initial reports suggested.

Horizon3.ai
James KettleJan 6
Nominations for the Top 10 (new) Web Hacking Techniques of 2025 are now live! Review the submissions & make your own nominations here: https://portswigger.net/research/top-10-web-hacking-techniques-of-2025-nominations-open
Top 10 web hacking techniques of 2025: call for nominations

Over the last year, security researchers have shared a huge amount of work with the community through blog posts, presentations, and whitepapers. This is great, but it also means genuinely reusable te

PortSwigger Research