24 million websites compromised. 🧵 PortSwigger's Director of Research, James Kettle (@albinowax), & AppSec expert John Hammond (@_JohnHammond) reveal the fatal flaws in HTTP/1.1 that attackers are abusing right now. #HTTP1MustDie

I discovered how to use CSS to steal attribute data without selectors and stylesheet imports! This means you can now exploit CSS injection via style attributes! Learn how below: https://t.co/Tje8Ce8if0

It's been great to see people 'enjoying' the 0CL @WebSecAcademy lab! Tune in this Friday at 11AM PT to watch me livestream the solution with @offby1security - registration link below 👇

HTTP/1.1 is outdated and dangerous. And it’s time to kill it. 💀 James Kettle's new @PortSwiggerRes research exposes how attackers are still exploiting HTTP/1.1 flaws and how you can help end it (and earn while doing it). Learn + hack: https://t.co/d7TF6sdFh3

@orange_8361 @Arl_rose @PortSwigger @BugBountyDEFCON @d3vc0r3 Congrats, that research was top tier! I got one too 🙏

Massive thanks to everyone who came to watch HTTP/1.1 Must Die at @BlackHatEvents & @defcon! It was great to meet you all and hear your stories, had an absolute blast and I'm psyched to cook up some more madness for next year!

Today at DEF CON - the Top Ten Web Hacking Techniques of 2024 awards Don't miss these sought-after trophies being awarded at @BugBountyDEFCON's closing ceremony this afternoon! #DEFCON33 #BugBountyVillage

The team will be at @defcon again today! Don't miss out on your free HTTP/1.1 Must Die t-shirt in the Bug Bounty Village (while stocks last...👀 ). #DEFCON33 #BugBountyVillage #HTTP1MustDie #PortSwigger #BurpSuite

🚨 In case you missed it: #BHUSA research reveals upstream HTTP/1.1 is flawed. Are your CDNs still using HTTP/1.1 for upstream connections? If so, you may be severely exposed by future waves of request smuggling attacks. Learn how to protect your organization today:

The ground-breaking new research release HTTP/1.1 Must Die! The Desync Endgame will be hitting @defcon this afternoon at 4.30pm. Join the movement 👉 https://t.co/pIOerQPxTt #HTTP1MustDie #DEFCON33

Today at DEF CON 33 - don't miss @albinowax's new HTTP/1.1 Must Die talk! We're proudly sponsoring the @BugBountyDEFCON and are excited to be this year's CTF triage partner. Drop by, say hello, pick up some swag, and have fun! #DEFCON33 #BurpOnTour2025 #HTTP1MustDie

🚨New Black Hat research released: Over $200k in bounties earned in just two weeks. Join the movement to kill HTTP/1.1 today ⬇️ 🔍PortSwigger’s James Kettle (@albinowax) introduces two new classes of HTTP desync attacks capable of compromising credentials on tens of millions of

Join us for the Meet the Researchers casual drinks in 2 hours! We'll be at the Centra in the Luxor between 5-7pm. Drop by for a drink and some exclusive Burp swag (before they're gone 👀). #BurpOnTour2025

In Vegas this week? Join the @PortSwiggerRes team and Burp Suite creator @DafyddStuttard for a drink tomorrow! 5-7pm Centra at The Luxor @zakfedotkin @albinowax @tincho_508 #BurpOnTour2025

🕵️‍♂️ 🎩 The desync endgame has just begun. New expert lab has just dropped. Straight from @albinowax’s #BHUSA talk: Understand the latest request smuggling techniques, sharpen your skills, unlock new bounties, and solidify your organization’s defenses with the new expert lab ⬇️

💪 Make a difference today, go to: https://t.co/gCXXCmt2Ct

🚨New Black Hat research released: Over $200k in bounties earned in just two weeks. Join the movement to kill HTTP/1.1 today ⬇️ 🔍PortSwigger’s James Kettle (@albinowax) introduces two new classes of HTTP desync attacks capable of compromising credentials on tens of millions of

In one hour, @tincho_508 and @zakfedotkin will presenting their brand new tools at Black Hat Arsenal! In Vegas? Don't miss these exclusive new showcases of... ⭐ HTTP Hacker ⭐ Web Socket Turbo Intruder #BlackHatUSA #BHUSA

5 hours until the desync endgame begins. https://t.co/pIOerQPxTt #HTTP1MustDie

Today at #BlackHatUSA - three major new releases from @PortSwiggerRes 1pm - 'HTTP Hacker' at Black Hat Arsenal with @tincho_508 1pm - 'WebSocket Turbo Intruder' at Black Hat Arsenal with @zakfedotkin 3.20m - 'HTTP/1.1 Must Die! The Desync Endgame' at Black Hat USA with