HTTP/1.1 Must Die: What This Means for Contract Pentesters and MSSPs

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite years of defensive efforts, this technique remains a critical threat vector for web applications relying on HTTP/1.1. The presentation warns contract pentesters and Managed Security Service Providers (MSSPs) that existing mitigations are insufficient as attackers refine smuggling methods. This evolution suggests a high severity risk for organizations failing to update protocols or patch backend inconsistencies. While no specific threat actors or malware families were identified in this excerpt, the underlying vulnerability enables potential initial access and data exfiltration. Security teams should prioritize auditing load balancers and front-end/back-end server interactions. Transitioning to HTTP/2 or implementing strict parsing controls is recommended to mitigate the risk of request smuggling attacks compromising infrastructure integrity and confidentiality in modern web environments.

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef

At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, highlighted the persistent and evolving nature of HTTP request smuggling vulnerabilities. Despite years of defensive efforts, this technique remains a critical threat vector for web applications relying on HTTP/1.1. The presentation warns contract pentesters and Managed Security Service Providers (MSSPs) that existing mitigations are insufficient as attackers refine smuggling methods. This evolution suggests a high severity risk for organizations failing to update protocols or patch backend inconsistencies. While no specific threat actors or malware families were identified in this excerpt, the underlying vulnerability enables potential initial access and data exfiltration. Security teams should prioritize auditing load balancers and front-end/back-end server interactions. Transitioning to HTTP/2 or implementing strict parsing controls is recommended to mitigate the risk of request smuggling attacks compromising infrastructure integrity and confidentiality in modern web environments. At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef At Black Hat USA and DEFCON 2025, PortSwigger's Director of Research, James Kettle, issued a stark warning: request smuggling isn't dying out, it's evolving and thriving. Despite years of defensive ef