image Get the whitepaper, toolkits & remediation guides → http1mustdie.com

HTTP/1.1 Must Die: What This Means for Contract Pentesters and MSSPs

Andrzej Matykiewicz | 06 August 2025 at 22:23 UTC


At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving.

Despite years of defensive efforts, new research unveiled by Kettle proves that HTTP request smuggling (or "desync" attacks) remain not only rampant but dangerously underestimated, compromising tens of millions of supposedly well-secured websites worldwide.

In his groundbreaking new research, HTTP/1.1 Must Die: The Desync Endgame, Kettle challenges the security community to completely rethink its approach to request smuggling. He argues that, in practical terms, it's nigh on impossible to consistently and reliably determine the boundaries between HTTP/1.1 requests, especially when implemented across the chains of interconnected systems that comprise modern web architectures. Mistakes such as parsing discrepancies are inevitable, and when using upstream HTTP/1.1, even the tiniest of bugs often have critical security impact, including complete site takeover.

This research demonstrates unequivocally that patching individual implementations will never be enough to eliminate the threat of request smuggling. Using upstream HTTP/2 offers a robust solution. If we are serious about securing the modern web, it's time to retire HTTP/1.1 for good.

For MSSPs and contract pentesters, this represents both a critical service gap and a unique opportunity to deliver high-value findings that your competition miss.

Buried Risk in Client Environments

Request smuggling lives in the cracks between systems, whether that be proxies, CDNs, or distributed backends. HTTP/1.1 is full of ways for those systems to disagree about request boundaries.

PortSwigger's latest research has confirmed an uncomfortable truth: not only are request smuggling vulnerabilities still extremely prevalent, attempts to mitigate them have in fact just made them harder to spot. In many cases, these mitigations have in fact just compounded the problem by adding yet more complexity to how systems are supposed to determine where each request starts and ends.

Several major CDNs were found to be vulnerable to new desync vectors and subtle variations on well-known exploits, exposing over 24 million of their customers' websites.

This isn't an academic risk; after bypassing supposedly battle-hardened mitigations entirely, the researchers were awarded over $200,000 in bug bounties from these techniques, highlighting both the prevalence and severity of the problem. If you're operating in a results-driven MSSP model, this should signal opportunity as well as urgency.

As a result, these bugs aren't just hard to find; they're actively obscured by current defence mechanisms. This allows you, as an external tester, to demonstrate real value by surfacing issues missed by internal teams, scanners, and other third-party contractors.

What This Means for Your Engagements

Your clients rely on you to deliver meaningful, deep, and impactful results under pressure. Desync issues are perfect territory for that as they're only detectable through protocol-level inspection, have potentially remained hidden for years in your clients' stacks, and have a tangible, high-severity impact.

Here's how you can use this research to your advantage:

What You Can Do Right Now

If you're focused purely on the usual application logic, input validation, or authentication flaws, you're probably missing critical threats. Desync bugs stem from infrastructure-level flaws. That's why they evade scanners and manual tests conducted using subpar tooling.

Whether you're mid-engagement or offering continuous coverage, these actions will help you bring cutting-edge desync detection to your clients, and prove value where others fall short.

Don't Just Deliver Reports. Deliver Change.

"You've got the illusion of security thanks to toy mitigations and selective hardening that only serves to break the established detection methodology. In truth, HTTP/1.1 is so densely packed with critical vulnerabilities, you can literally find them by mistake." Kettle writes.

That illusion is an opportunity for you. Desync attacks are not implementation bugs; they're architectural liabilities. If you want to help your clients move toward a sustainable security posture, start the conversation now.

Use these tools and research to:

PortSwigger Helps You Deliver More

PortSwigger isn't just raising the alarm; we're arming you with the tools to act:

Burp Suite offers unmatched desync detection and exploration capabilities, thanks to rich HTTP/1 and HTTP/2 support, HTTP Request Smuggler and the new HTTP Stream Hacker extensions. This ensures you aren't shackled by subpar tooling with superficial support for testing anything beyond simple, application-level issues.

DAST at scale: Burp Suite DAST identifies request smuggling vectors across your clients' estate using reliable, primitive-level detection techniques that bypass flawed defences and reveal the true extent of their exposure to desync attacks.

Education-first: Our free labs and industry-defining research translate cutting-edge insights into actionable training.

Join the Desync Endgame

Burp Suite's latest tools and techniques don't just provide a fixed playbook with precanned exploits. They're designed to help you pinpoint desync primitives: the subtle, target-specific parsing mismatches that lead to real-world compromise. This means you can go beyond the known and explore new desync variants that others haven't even imagined yet.

Every client engagement is a chance to demonstrate your value. Go beyond the checklist, explore new desync classes, and show your clients the systematic flaws that even major vendors have missed.

Show clients just how at-risk they are. Recommend lasting change. Deliver value your clients can't ignore.

And above all, help us declare: HTTP/1.1 must die.