HTTP is supposed to be stateless, but sometimes... it isn't! Some servers create invisible vulnerabilities by only validating the first request on each TCP/TLS connection. I've just published a Custom Action to help you detect & exploit this - here's a narrated demo:

I’m excited to announce that I’ll be presenting The Fragile Lock: Novel Bypasses for SAML Authentication at Black Hat Europe! In this talk, I’ll show how I was able to continuously bypass security patches to achieve complete auth bypass for major libraries. #BHEU @BlackHatEvents

Hackers are becoming builders - by integrating AI enhancements they’re amplifying their unique tradecraft to hack deeper, faster. I'll be sharing my vision of the future of hacking in @Hacker0x01's 'Bionic Hacking' webinar on October 15! Register here:

HTTP/1.1 Must Die is coming to #romhack2025 as the keynote! In-person tickets are sold out but you can still watch the livestream. This is your last chance to catch it live - register to watch here: https://t.co/j5vmX9dVnE

Dive into WebSocket Turbo Intruder 2.0 - fuzz at scale, automate complex multi-step attacks, and exploit faster. The blog post is live! Read it here: https://t.co/H2SwnCGPOE

We use James Kettle’s (@albinowax) Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF. Find out more here: https://t.co/HhGUYrJNvQ #AppSec #BurpSuite #Pentesting

We've just published a novel technique to bypass the __Host and __Secure cookie flags, to achieve maximum impact for your cookie injection findings:

I just published a Repeater feature to make it easier to explore request smuggling. It repeats your request until the status code changes. It's called "Retry until success" and you can install it via the Extensibility helper bapp.

Ever seen two responses to one request? That's just pipelining... or is it? I've just published "Beware the false false-positive: how to distinguish HTTP pipelining from request smuggling" 👇

Watch HTTP/1.1 Must Die live today at 1630 PST! - In person at #defcon33 track 1, main stage - Remote livestream free on YouTube (link below) Enjoy!

🚨 New @WebSecAcademy lab: https://t.co/Am8qEYVI5K request smuggling Based on HTTP/1 Must Die, presented at #BHUSA Solve it, write it up, and you could: ✅ Get featured on the PortSwigger blog 🎁 Win a 1-year Burp Suite Pro license 🧢 Score some swag https://t.co/FD5QVZKecn

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die:

HTTP Request Smuggling Explained (with @albinowax) 🎥👉🏼 https://t.co/tCvlLoupgz

I was testing out the Activescan++ suspect transform updates prepping for our upcoming @BlackHatEvents talk. Worked like a charm. Then I used the new "Explore" issue AI functionality. It took the issue data based on the behavior and identified a full-width XSS bypass. #impressed

Ever seen a header injection where achieving a desync seemed impossible? I think I've finally identified the cause - nginx doesn't reuse upstream connections by default, and often has header injection. This means you're left with a blind request tunneling vulnerability 👇

Want to make the most of the upcoming "HTTP/1.1 Must Die" research drop? We've just updated the countdown page with links to essential pre-read/watch resources. Enjoy!

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to https://t.co/nrJtM5dDp3 :)

Manual testing doesn't have to be repetitive. Meet Repeater Strike - an AI-powered Burp Suite extension that turns your Repeater traffic into a scan check.

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compasssecurity which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

When HTTP/1.1 Must Die lands at DEFCON we’ll publish a @WebSecAcademy lab with a new class of desync attack. One week later, I’ll livestream the solution on air with @offby1security! You’re invited :) https://t.co/BPt0h0YiN2