Thrilled to finally release my latest research "The Single-Packet Shovel: Digging for Desync-Powered Request Tunnelling". Desync vulnerabilities stemming from HP2 downgrading continue to plague even the largest vendors, have a read to find out more! assured.se/posts/the-sing…

The recording of my recent AMA with the Burp Suite Discord community has just landed on YouTube! 40 minutes of unscripted Q&A on security research, AI, and Burp Suite: youtu.be/mgmUZ9odkvU

Firefox now opens the door to URL-based XSS payload smuggling too. Yep, even more ways to sneak past filters using the window name and clever URL tricks. Link to vectors👇

Active Scan++ just got sharper - we’ve added new checks for OS command injection, powered by our latest ASCII Control Characters research. Install via Extensions -> BApp Store

Epic Firefox XSS vectors by Masato Kinugawa. Now available on our XSS cheat sheet including variants found by me. Link to vectors👇

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

Mikhail Khramenkov just contributed a new dangling markup vector on the latest Chrome. Live now on our XSS cheat sheet. Link to vector👇

"Funky chunks: abusing ambiguous chunk line terminators for request smuggling" - quality research by Jeppe Weikop! Also thankfully it doesn't overlap with my upcoming presentation 😅 w4ke.info/2025/06/18/fun…

I'm thrilled to share that I will be presenting a 90 minute workshop in DEFCON's Bug Bounty Village! I will be speaking about advanced HTTP Desynchronisation attacks, and introducing a new tool to exploit complex vulnerabilities found in top bounty programs!

Concerned about LLMs replacing pentesters? We've made enhancing your own workflow with AI easier than ever - you can now build your own AI features directly inside Repeater with Custom Actions. Here's one I built for myself which guesses param meanings:

When HTTP/1.1 Must Die lands at DEFCON we’ll publish a Web Security Academy lab with a new class of desync attack. One week later, I’ll livestream the solution on air with Off By One Security! You’re invited :) youtube.com/live/B7p8dIB7b…

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by Compass Security which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

Manual testing doesn't have to be repetitive. Meet Repeater Strike - an AI-powered Burp Suite extension that turns your Repeater traffic into a scan check.

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

Want to make the most of the upcoming "HTTP/1.1 Must Die" research drop? We've just updated the countdown page with links to essential pre-read/watch resources. Enjoy!

I was testing out the Activescan++ suspect transform updates prepping for our upcoming Black Hat talk. Worked like a charm. Then I used the new "Explore" issue AI functionality. It took the issue data based on the behavior and identified a full-width XSS bypass. #impressed

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇

HTTP Request Smuggling Explained (with James Kettle) 🎥👉🏼 youtu.be/QjPFjd8GJWY

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

🚨 New Web Security Academy lab: 0.CL request smuggling Based on HTTP/1 Must Die, presented at #BHUSA Solve it, write it up, and you could: ✅ Get featured on the PortSwigger blog 🎁 Win a 1-year Burp Suite Pro license 🧢 Score some swag portswigger.net/web-security/r…