James Kettle

@[email protected]
3.9K Followers
26 Following
294 Posts
Director of Research at PortSwigger aka
Burp Suite
Homepagehttps://jameskettle.com/
Twitterhttps://twitter.com/albinowax
LinkedInhttps://www.linkedin.com/in/james-kettle-albinowax/
PortSwiggerhttps://portswigger.net/research
James KettleMar 18
I've just submitted my latest research to Black Hat USA! This one has been cooking since last June, can't wait to share it with the world... in fact I'm quite excited just to see the community reaction to the title reveal.
James KettleJan 23

Love web & AI security research? Want to do it full time on-site with myself, Gareth Heyes & Zak Fedotkin? Join the PortSwigger Research team - we're hiring!

https://apply.workable.com/portswigger/j/FC27ED6166/

James KettleDec 4
You can now scan for #react2shell in Burp Suite! To enable, install the Extensibility Helper bapp, go to the bambda tab and search for react2shell. Shout-out to Assetnote for sharing a quality detection technique!
James KettleAug 20, 2025

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Credit for the concept to whoever suggested it on the livestream last week! You can also load it simply by creating a Custom Action then copy+paste the code from here: https://github.com/PortSwigger/bambdas/blob/main/CustomAction/RetryUntilSuccess.bambda

James KettleAug 10, 2025
Massive thanks to everyone who came to watch HTTP/1.1 Must Die at Black Hat USA & @defcon! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!
James KettleAug 8, 2025
Watch HTTP/1.1 Must Die live today at 1630 PT!
- In person at #defcon33 track 1, main stage
- Livestream via YouTube: https://www.youtube.com/watch?v=sslnkb4MnTg
James KettleAug 6, 2025
At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!
James KettleAug 1, 2025
Let me know if you'd like to chat research at Black Hat or #defcon33! Also feel free to say hi if you see me about, I've got a not-very-subtle laptop cover to aid recognition 😂
James KettleJul 28, 2025

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability.

To try and achieve a desync refer to: https://portswigger.net/research/making-http-header-injection-critical-via-response-queue-poisoning

If you're stuck with tunneling, use: https://portswigger.net/web-security/request-smuggling/advanced/request-tunnelling

James KettleJul 14, 2025
We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by Compass Security which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features: