image Get the whitepaper, toolkits & remediation guides → http1mustdie.com

HTTP/1.1 Must Die: What This Means for Bug Bounty Hunters

Andrzej Matykiewicz | 06 August 2025 at 22:23 UTC


At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving.

Despite years of defensive efforts, new research unveiled by Kettle proves that HTTP request smuggling (or "desync" attacks) remain not only rampant but dangerously underestimated, compromising tens of millions of supposedly well-secured websites worldwide, netting $200k+ in bounties in the space of just two weeks.

In his groundbreaking new research, HTTP/1.1 Must Die: The Desync Endgame, Kettle challenges the security community to completely rethink its approach to request smuggling. He argues that, in practical terms, it's nigh on impossible to consistently and reliably determine the boundaries between HTTP/1.1 requests, especially when implemented across the chains of interconnected systems that comprise modern web architectures. Mistakes such as parsing discrepancies are inevitable, and when using upstream HTTP/1.1, even the tiniest of bugs often have critical security impact, including complete site takeover.

This research demonstrates unequivocally that patching individual implementations will never be enough to eliminate the threat of request smuggling. Upstream HTTP/2 offers a robust solution.

If we are serious about securing the modern web, it's time to retire HTTP/1.1 for good.

As a bug bounty hunter, this is a huge opportunity. The attack surface is bigger than ever. If you've not got request smuggling in your arsenal, now's the time to dive in, with new vectors, new tooling, and new strategies that bypass current defenses.

Why This Research Matters to Bug Bounty Hunters

Underestimated Angles that Could Net You Bounties

What to Do Now

Join the Desync Endgame

HTTP/1.1 is broken, but that's your opportunity: Find it. Prove it. Get paid.

The new research doesn't just hand you a few pre-canned exploits; it gives you a way to uncover the low-level parser discrepancies and visibility mismatches that sit at the root of thousands of undiscovered bugs.

Burp Suite's latest tools and techniques don't provide a fixed playbook. They help you observe, probe, and experiment with how targets actually parse requests. This means you can go beyond the known and explore new desync variants that others haven't even imagined yet.

So get out there. Tweak the tools, customize your probes, and break assumptions. Give yourself an edge that nobody else has. Desync bugs don't follow a fixed pattern; they emerge from subtle, target-specific quirks. And with the right mindset and tooling, you can discover them too, potentially bagging some serious bounties in the process.

You don't need to be a full-time researcher. You don't need a Black Hat badge. You just need curiosity, persistence, and a willingness to experiment.