Talks

HTTP Stream Hacker

Researcher: Martin Doyhenard

Conferences

Modern websites have become a tangled mess of intricate network architectures - creating fertile ground for serious, protocol-level vulnerabilities that traditional tools often overlook. As web applications continue to grow in complexity, we see the rise of critical vulnerabilities like smuggling, first-request routing, and cache poisoning/deception and the need for a tool that treats HTTP as what it really is: a stream based protocol.

While security professionals rely on HTTP proxies to intercept, analyze, and manipulate traffic, most of these solutions abstract away the stream-based nature of the protocol. By presenting request-response pairs as isolated transactions, they hide crucial details such as persistent connections, pipelining and geo-routing, making it difficult to fully understand how data truly flows - or to uncover advanced attack vectors.

To address these challenges, I developed HTTP Stream Hacker, an open source Burp Suite extension that helps you explore and exploit your target's underlying protocol logic with ease. It surfaces hidden details like persistent connections and pipelining, and provides absolute clarity on what's happening under the hood, empowering you to take your attacks further and exploit critical vulnerabilities that would otherwise remain undetected.

Additionally, HTTP Stream Hacker leverages error- and timing-based analyses to detect concealed proxies, caching layers, and cloud infrastructures - offering a holistic view of the network infrastructure.Through a drag-and-drop interface, users can model the flow of messages across multiple components, predicting how traffic is transformed and routed.

By removing the guesswork inherent in conventional proxies and empowering testers with a low-level view of HTTP, this tool ultimately promotes true protocol mastery - enabling researchers to discover and exploit critical vulnerabilities that would otherwise remain undetected.

WebSocket Turbo Intruder

Researcher: Zakhar Fedotkin

Conferences

Websites are increasingly adopting WebSockets for business critical functionality, but security tools have failed to keep up. As a result, WebSocket security testing is so painful that this ever-expanding attack surface is largely overlooked.

WebSocket Turbo Intruder is an open-source solution which makes attacks pain-free with automatic message correlation, timing and content analysis, and battle-tested matching and filtering capabilities. It also enables advanced, multi-step attack sequences thanks to an underlying Python API providing infinite customisability. It seamlessly integrates into Burp Suite, and also runs as a standalone CLI tool - ideal for launching attacks from a high-bandwidth VPS.

Under the hood, it is powered by a high-performance WebSocket engine developed from scratch for security testing, capable of sending tens of thousands of messages per second - perfect for large-scale bruteforce attacks, and triggering race conditions. The custom engine also allows the use of malformed messages, letting you exploit protocol-level implementation flaws, including a modern spin on the classic Ping-of-Death.

You can even scan WebSockets with your existing HTTP scanning tools, thanks to a convenient HTTP adapter. It is time to unlock the WebSocket goldmine.

HTTP/1 Must Die! The Desync Endgame

Researcher: James Kettle

Conferences

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1 lives, desync attacks will thrive.

In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks.

I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers' welcoming arms. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me.

You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1.

Amplify the hacker: offensive AI plugin development

Researcher: Gareth Heyes

Conferences

Web app testing is supposed to be fun - until you're neck-deep in tabs, repeating the same payloads, rewriting the same report sections, and wondering what you missed by not trying just one more thing. In this session, I'll bring the fun back by sharing tools that quietly transform manual testing into something smarter - and showing you how to build your own.

I've spent the last year experimenting with AI tool development to amplify my hacking efforts, building four open-source extensions: Shadow Repeater, Document My Pentest, AI Hackvertor, and Repeat Strike. While you're hacking, these tools hack harder.

I'll share what worked, what didn't, what broke completely, and the tricks I wish I knew when I started. If you're thinking of gluing AI into your own hacking workflow - or just want to see what's possible now - this talk's for you.

Cookie Chaos: Exploiting Parser Discrepancies

Researcher: Zakhar Fedotkin

Conferences

Cookies were never meant to be secure. Bolted awkwardly onto HTTP, they have long been a source of confusion, inconsistency, and catastrophic vulnerabilities. Despite countless RFC fixes, things still fall apart.

In this talk, I will uncover how fundamental flaws in cookie parsing continue to enable real-world bypasses of core security mechanisms. I will introduce previously unpublished techniques and new classes of cookie-based attacks that exploit discrepancies between client-side and server-side interpretations - allowing attackers to compromise session integrity at scale.

To wrap up, I will release an open-source toolkit to help security researchers detect and exploit these flaws in the wild.

If you think you know cookies, think again. This talk will uncover the most subtle RFC flaws.