At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving.
Despite years of defensive efforts, new research unveiled by Kettle proves that HTTP request smuggling (or "desync" attacks) remains a systemic, protocol-level threat, compromising tens of millions of supposedly well-secured websites worldwide.
In his groundbreaking new research, HTTP/1.1 Must Die: The Desync Endgame, Kettle challenges the security community to completely rethink its approach to request smuggling. He argues that, in practical terms, it's nigh on impossible to consistently and reliably determine the boundaries between HTTP/1.1 requests, especially when implemented across the chains of interconnected systems that comprise modern web architectures. Mistakes such as parsing discrepancies are inevitable, and when using upstream HTTP/1.1, even the tiniest of bugs often have critical security impact, including complete site takeover.
This research demonstrates unequivocally that patching individual implementations will never be enough to eliminate the threat of request smuggling. Using upstream HTTP/2 offers a robust solution.
If we are serious about securing the modern web, it's time to retire HTTP/1.1 for good.
In the meantime, audit your portfolio using the only DAST scanner capable of reliably testing for desync vulnerabilities: Burp Suite DAST.
Desync attacks exploit the ambiguity in HTTP/1.1 parsing to hijack sessions, poison caches, and leak user data. What's now clear is that HTTP/1.1's core design, with its lenient text-based message parsing, multiple length-specification mechanisms, and decades-old compatibility quirks, make it impossible to defend reliably.
PortSwigger's 2025 research demonstrates how supposedly "patched" systems, including those protected by major CDNs and WAFs, are still vulnerable on a widespread scale. This isn't an academic risk; the research team were awarded over $200,000 in bug bounties from these techniques over just two weeks, proving that several major CDNs were vulnerable, potentially compromising every one of their 24m customers' web infrastructure. This only serves to highlight the prevalence and severity of the problem.
For AppSec leaders, this presents a strategic concern: even if your organization believes it's covered, you may be relying on brittle defenses and dangerous assumptions that simply don't stand up to scrutiny.
You may have implemented the available defensive measures and patched request smuggling bugs over the years as new vectors are discovered. But the attack class hasn't gone away; it's simply evolved. PortSwigger's latest research reveals that desync vulnerabilities are still extremely prevalent, especially where systems quietly downgrade HTTP/2 to HTTP/1.1 behind the scenes, adding yet more complexity and ambiguity that can potentially be exploited.
Key takeaways:
AppSec leaders are in a unique position to drive meaningful change. Here's what we recommend:
The implications go beyond bug fixes. As Kettle writes, "You've got the illusion of security thanks to toy mitigations and selective hardening that only serves to break the established detection methodology. In truth, HTTP/1.1 is so densely packed with critical vulnerabilities, you can literally find them by mistake."
Protecting your systems now means acknowledging that the protocol itself is broken.
This demands a shift in mindset:
PortSwigger isn't just raising the alarm; we're arming defenders with the tools to act:
Ignoring HTTP/1.1's flaws is no longer an option. As an AppSec leader, you have the opportunity, and the responsibility, to lead the transition toward safer infrastructure.
Scan your apps. Prove the risk. Demand better infrastructure.
Join us in declaring: HTTP/1.1 must die.
