HTTP/1.1 Must Die! The Desync Endgame
Black Hat USA 2025 · Day 1 · Briefings
James Kettle presents his fourth year of HTTP desync research and arrives at a stark conclusion: the industry has patched detection methods and scanning tools while leaving the actual vulnerability — HTTP/1.1's fundamental failure to isolate requests — largely intact. He introduces HTTP Request Smuggler v3, two entirely new attack classes (Zero CL desync and Expect-header desync), and case studies that include compromising 24 million Cloudflare-hosted websites, hijacking responses from 1 million Netlify sites, and achieving full control of `auth.lastpass.com`, collectively earning over $350,000 in bug bounties. His conclusion: HTTP/1.1 must be retired from upstream connections, and he launches `httponemustdie.com` to rally the security community around that goal. ---
AI review
Kettle's fourth year of HTTP desync research delivers two entirely new attack classes, a retooled scanner, $350K in bug bounties across Cloudflare, Netlify, and LastPass, and a genuine call to action that the industry has earned by failing to fix the underlying problem for six years. This is the best offensive web research talk of the year.