HTTP/1.1 must die: Dafydd Stuttard on what this means for enterprise security

At Black Hat USA 2025 and DEF CON 33, PortSwigger's Director of Research, James Kettle, presented groundbreaking findings regarding HTTP request desync vulnerabilities. The research conclusively demonstrates that the HTTP/1.1 protocol is fundamentally broken, posing significant risks to enterprise security architectures globally. These desync techniques allow attackers to manipulate request smuggling and bypass security controls, potentially leading to unauthorized access, cache poisoning, and credential theft. The presentation emphasizes the urgent need for organizations to reassess their reliance on legacy HTTP standards. While no specific threat actors or malware families were identified in this disclosure, the underlying vulnerability affects every organization utilizing standard web protocols. Mitigation strategies likely involve transitioning to more secure protocol versions like HTTP/2 or HTTP/3 and implementing rigorous input validation on web servers and intermediaries to prevent desync attacks from succeeding in production environments.

At Black Hat USA 2025 and DEF CON 33, PortSwigger's Director of Research, James Kettle, unveiled new HTTP desync techniques that prove one thing beyond doubt: HTTP/1.1 is broken, and every organizatio

At Black Hat USA 2025 and DEF CON 33, PortSwigger's Director of Research, James Kettle, presented groundbreaking findings regarding HTTP request desync vulnerabilities. The research conclusively demonstrates that the HTTP/1.1 protocol is fundamentally broken, posing significant risks to enterprise security architectures globally. These desync techniques allow attackers to manipulate request smuggling and bypass security controls, potentially leading to unauthorized access, cache poisoning, and credential theft. The presentation emphasizes the urgent need for organizations to reassess their reliance on legacy HTTP standards. While no specific threat actors or malware families were identified in this disclosure, the underlying vulnerability affects every organization utilizing standard web protocols. Mitigation strategies likely involve transitioning to more secure protocol versions like HTTP/2 or HTTP/3 and implementing rigorous input validation on web servers and intermediaries to prevent desync attacks from succeeding in production environments. At Black Hat USA 2025 and DEF CON 33, PortSwigger's Director of Research, James Kettle, unveiled new HTTP desync techniques that prove one thing beyond doubt: HTTP/1.1 is broken, and every organizatio At Black Hat USA 2025 and DEF CON 33, PortSwigger's Director of Research, James Kettle, unveiled new HTTP desync techniques that prove one thing beyond doubt: HTTP/1.1 is broken, and every organizatio