This summer, PortSwigger returns to Black Hat USA and DEF CON 33 with a host of new talks, events and ways to meet PortSwigger and the the teams behind Burp Suite.
This year, we have a bold message:
Although it's been six years since PortSwigger Research first brought request smuggling to mainstream attention, attempts to mitigate these attacks have repeatedly proven to be ineffective at best and, in some cases, to actually make the situation worse.
The time has come to acknowledge that request smuggling is an inherent flaw in the HTTP/1.1 protocol itself and, as such, its continued use should be considered a vulnerability in its own right.
At Black Hat and DEFCON33, PortSwigger's Director of Research, James Kettle (@albinowax), will demonstrate how it was still possible to compromise every single customer of three major CDNs, leaving tens of millions of websites exposed to potentially critical attacks.
He'll unveil new classes of desync attacks and a toolkit to help you identify request smuggling vulnerabilities more easily and reliably than ever before, the same techniques and tools he used to earn over $200k in bug bounties in just two weeks.
Tune in to our coverage of Black Hat and DEFCON33:
Whether you still use HTTP/1.1 intentionally, or are forced to due to the limitations of your CDN's infrastructure, we want to challenge the industry to sunset this vulnerable, legacy technology. If we want a secure web, HTTP/1.1 must die!
Where to watch:
In this session, Martin Doyhenard (@tincho_508 ) will show you how to dissect HTTP at the stream level, revealing hidden behaviors that traditional tools miss and turning them into powerful exploits. You’ll learn how to spot hidden proxies, exploit subtle errors to desynchronize connections, hijack requests, and uncover vulnerabilities that evade traditional tools.
Through real-world case studies, Martin reveals exactly how you can chain advanced HTTP Desync attacks to secure bounties that others have left behind, transforming complex network architectures into your playground.
We’re not just bringing research, we’re arming you with tools built for modern web security.
Martin Doyhenard (@tincho_508) — Black Hat Arsenal | August 6, 1:00–1:55pm
Your proxy might be lying to you. HTTP Raider gives you raw stream-level access to see what’s really happening across persistent connections, pipelining, and edge infrastructure.
Built as a Burp Suite extension, it helps you:
If you care about HTTP smuggling, caching bugs, or infrastructure-level attacks, this is the tool you've been waiting for.
Zakhar Fedotkin (@d4d89704243 ) — Black Hat Arsenal | August 6, 1:00–1:55pm
WebSockets are everywhere but security testing them has been a pain. That ends now with WebSocket Turbo Intruder.
Under the hood, WebSocket Turbo Intruder allows you to:
If you’ve been ignoring WebSockets because the tooling wasn’t there, this is your moment to start looking at this vast and under-explored attack surface.
We’re hosting an informal meetup in Las Vegas (details coming soon) where you can:
Let us know via this form to keep up-to-date with all of our plans.
We’re thrilled to recognize the researchers behind the Top 10 Web Hacking Techniques of 2024 with individual awards for each of the top 10 entries.
Every year, security researchers from all over the world share their findings. Their research is recognized for not only their individual innovation, but for their potential to be re-applied or adapted in new ways, helping to push the boundaries of web security.
This year saw a staggering 121 nominations, with some incredible research and intense competition.
This year, we will host an official awards ceremony. Watch this space.
Read the Top 10 Web Hacking Techniques of 2024 here.
We’re going big this summer with a full-spectrum launch across channels:
We’ll be bringing everything to you via our social media channels, so if you’re not attending, you’ll still have access to the groundbreaking research and tooling from PortSwigger.
Follow the action in real-time:
You’ll get early exclusive content, and a front-row seat to all of the action.
Can’t make it to Vegas? Follow along with #BurpOnTour and live updates from Black Hat and DEFCON33.