albinowax - HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference
HTTP requests are traditionally viewed as isolated, standalone entities. In this session, I'll introduce techniques for remote, unauthenticated attackers to smash through this isolation and splice their requests into others, through which I was able to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties. Using these targets as case studies, I’ll show you how to delicately amend victim's requests to route them into malicious territory, invoke harmful responses, and lure credentials into your open arms. I’ll also demonstrate using backend reassembly on your own requests to exploit every modicum of trust placed on the frontend, gain maximum privilege access to internal APIs, poison web caches, and compromise my favourite login page. Although documented over a decade ago, a fearsome reputation for difficulty and collateral damage has left this attack optimistically ignored for years while the web's susceptibility grew. By applying fresh ideas and new techniques, I’ll unveil a vast expanse of vulnerable systems ranging from huge content delivery networks to bespoke backends, and ensure you leave equipped to devise your own desync techniques and tailor attacks to your target of choice. albinowax James Kettle is Head of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including both BlackHat USA and EU, and OWASP AppSec USA and EU. Twitter: @albinowax Website: https://skeletonscribe.net/
HTTP Request Smuggling Explained (with James Kettle)
![Nicholas Carlini - Black-hat LLMs | [un]prompted 2026](https://i.ytimg.com/vi/1sd26pWhfmg/hqdefault.jpg?sqp=-oaymwE9CNACELwBSFryq4qpAy8IARUAAAAAGAElAADIQj0AgKJDeAHwAQH4Af4JgALQBYoCDAgAEAEYciBmKDYwDw==&rs=AOn4CLBn1sRfbeYcMnkqD2mtRZhq1TO6JQ)
Nicholas Carlini - Black-hat LLMs | [un]prompted 2026
HTTP 1 1 Must DIE @albinowax James Kettle Defcon 33 talk
Let’s Handle 1 Million Requests per Second, It’s Scarier Than You Think!
DEF CON 31 - Smashing the State Machine the True Potential of Web Race Conditions - James Kettle
Attacking AI - Jason Haddix - NDC Security 2026
Bill Swearingen - HAKC THE POLICE - DEF CON 27 Conference
Bill Graydon - Duplicating Restricted Mechanical Keys - DEF CON 27 Conference
Practical Web Cache Poisoning: Redefining 'Unexploitable'
The Entire Internet is Broken
DEF CON 32 - Gotta Cache ‘em all bending the rules of web cache exploitation - Martin Doyhenard
slink: WAF: Wrong Approach Firewall
Andrej Karpathy: From Vibe Coding to Agentic Engineering w/ Stephanie Zhan
The Biggest Hacking Mystery of Our Time: Shadow Brokers
Cracking the Lens: Targeting HTTP's Hidden Attack-Surface
Practical Attacks Using HTTP Request Smuggling by @defparam #NahamCon2020
DEF CON 33 - Cash, Drugs, and Guns - Why Your Safes Aren't Safe - Mark Omo, James Rowley
DEF CON 32 - Listen to the Whispers: Web Timing Attacks that Actually Work - James Kettle
DEF CON 33 - Kill List: Hacking an Assassination Site on the Dark Web - Carl Miller, Chris Monteiro
