.png)
In this video, John and James dive deep into James’ new HTTP/1.1 Must Die research, the cutting edge of web security, focusing on the inherent insecurity of HTTP/1.1. As James explains, upstream HTTP/1.1 routinely exposes millions of websites to hostile takeover. For over six years, vendors have rolled out mitigation after mitigation, but researchers have consistently found ways to bypass them.
In PortSwigger’s latest research, James introduces new classes of HTTP desync attack and demonstrates critical vulnerabilities affecting tens of millions of websites, including core infrastructure within major CDNs. A live demo makes the threat all the more tangible, showing how attackers exploit fundamental protocol flaws to devastating effect.
The takeaway is clear: HTTP/1.1 has a fatal flaw. It allows attackers to create dangerous ambiguity about where one request ends and the next begins. By contrast, HTTP/2 eliminates this ambiguity, making desync attacks virtually impossible—provided it’s used not only at the edge, but also for the upstream connection between reverse proxies and origin servers.
Act Now: Join the Mission to Kill HTTP/1.1
There’s thousands of security testers, bug bounty hunters, and AppSec professionals over on the official PortSwigger Discord.
Join the server today to join the discussion and hear about how others are killing HTTP/1.1 across their applications.
