HTTP/1.1 Must Die: What This Means for AppSec Leadership

During Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite longstanding defensive measures, this attack technique continues to thrive, posing significant risks to application security leadership. The presentation emphasizes that reliance on HTTP/1.1 contributes to these vulnerabilities, suggesting a need for protocol upgrades. Organizations must recognize that request smuggling remains a critical vector for bypassing security controls and potentially gaining unauthorized access. Mitigation strategies should prioritize rigorous input validation, consistent parsing between front-end and back-end systems, and transitioning away from legacy protocols where feasible. Security teams are urged to update WAF rules and conduct regular auditing of web infrastructure to detect smuggling attempts. This evolving threat landscape requires proactive AppSec leadership to adapt defenses against these sophisticated web-based attacks before they are exploited in widespread campaigns.

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef

During Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite longstanding defensive measures, this attack technique continues to thrive, posing significant risks to application security leadership. The presentation emphasizes that reliance on HTTP/1.1 contributes to these vulnerabilities, suggesting a need for protocol upgrades. Organizations must recognize that request smuggling remains a critical vector for bypassing security controls and potentially gaining unauthorized access. Mitigation strategies should prioritize rigorous input validation, consistent parsing between front-end and back-end systems, and transitioning away from legacy protocols where feasible. Security teams are urged to update WAF rules and conduct regular auditing of web infrastructure to detect smuggling attempts. This evolving threat landscape requires proactive AppSec leadership to adapt defenses against these sophisticated web-based attacks before they are exploited in widespread campaigns. At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef