HTTP/1.1 Must Die: What This Means for In-House Pentesters

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite extensive defensive efforts over recent years, this attack vector remains a critical threat to web infrastructure. The presentation emphasizes that HTTP/1.1 protocols are increasingly vulnerable, suggesting a need for urgent protocol upgrades or stricter parsing controls. For in-house penetration testers and security teams, this indicates that legacy configurations remain exploitable. Organizations must prioritize auditing web servers and load balancers for smuggling vulnerabilities. Mitigation strategies include enforcing HTTP/2 where possible, implementing robust input validation, and ensuring front-end and back-end systems interpret requests consistently. The evolving landscape requires continuous monitoring and adaptation of defensive measures to prevent unauthorized access and potential data exfiltration through these refined smuggling techniques.

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite extensive defensive efforts over recent years, this attack vector remains a critical threat to web infrastructure. The presentation emphasizes that HTTP/1.1 protocols are increasingly vulnerable, suggesting a need for urgent protocol upgrades or stricter parsing controls. For in-house penetration testers and security teams, this indicates that legacy configurations remain exploitable. Organizations must prioritize auditing web servers and load balancers for smuggling vulnerabilities. Mitigation strategies include enforcing HTTP/2 where possible, implementing robust input validation, and ensuring front-end and back-end systems interpret requests consistently. The evolving landscape requires continuous monitoring and adaptation of defensive measures to prevent unauthorized access and potential data exfiltration through these refined smuggling techniques. At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef