At #BlackHat? Catch "HTTP/1.1 Must Die! The Desync Endgame" today at 3:20 in Oceanside A, Level 2. Hope to see you there!

Great job Chris Ratcliff! The photos are absolutely amazing!

Thanks PortSwigger and Bug Bounty Village for this awesome event — and also to my DEVCORE buddies for standing on stage to collect the trophy for me! A little follow-up article on this research is coming soon... stay tuned! 🤘

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" 👇

Sometimes people think they've found HTTP request smuggling, when they're actually just observing HTTP keep-alive or pipelining. This is usually a false positive, but sometimes there's actually a real issue there! Learn how to tell the two apart: portswigger.net/research/how-t…

I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below: portswigger.net/research/inlin…

Did you know? The newline handling quirks from The Tangled Web by lcamtuf still work in modern Chrome, if the server doesn’t support HTTP/2. An unsafe Nginx redirect config can let you inject cookies via /%0dset-cookie: foo=bar. #HTTP1MustDie

HTTP Request Smuggler v3.0.1 is now live! This fixes a false positive in the CL.0 scan caused by pipelining - thanks to sw33tLie for the report. Note that the new parser discrepancy scan still has superior accuracy. For more info on pipelining check out portswigger.net/research/how-t…

WebSocket security testing is so painful that this ever-expanding attack surface is largely overlooked. Learn how to dive where others fear to tread with WebSocket Turbo Intruder. Join me live on Sept 17 at 4PM (GMT+1) discord.gg/portswigger?ev…

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: portswigger.net/research/webso…

WebSockets are everywhere, but testing them has always been a pain… until now. Join @portswiggerres's d4d at 4pm BST (11am EDT) today on the PortSwigger Discord as he replays his Black Hat Arsenal talk on WebSocket Turbo Intruder. Join the event 👉

Been messing around with this in personal projects a lot! Effectively a little testing assistant sat with you checking things in the background while you do the fun stuff. I’ve even been impressed by its ability to find and understand relatively novel techniques!

One hour till HTTP/1.1 Must Die kicks off at #romhack2025! Watch the livestream here: m.youtube.com/watch?v=T009mz…

Introducing WebSocket Turbo Intruder WebSockets are everywhere, but testing them has always been a pain…until now. PortSwigger researcher, Zakhar Fedotkin, replays his Black Hat Arsenal talk on his new Burp Suite extension: WebSocket Turbo Intruder. Discover how to: 🔍 Fuzz

Can’t believe mentioning techniques still work - you’ve got to see this talk by Gareth Heyes \u2028