Sign in with Twitter

Username:

James Kettle @albinowax Manchester, England

Director of Research at PortSwigger Web Security aka @Burp_Suite

64 Following   23,428 Followers   2,482 Tweets

Joined Twitter 1/30/10


If you want to read all of our AngularJS research please visit https://t.co/j2wMqPtNAb We also have learning mater… https://t.co/VHvFMMKT3r
Retweeted by James Kettle
2/27
2020
Annual reminder: you can find all my past&present research helpfully archived at https://t.co/CC7OnbNBRz Often the… https://t.co/386w5MEpLI
2/26
2020
@fuzzsqlbof Nope but you can email
2/25
2020
@arneswinnen @aroly You were warned :) https://t.co/c0D3Fn2Gna @alexjplaskett I only do email these days
2/24
2020
@jobertabma @stokfredrik @seanmeals The project file format isn’t stable enough to expose as an API. But you could… https://t.co/gZ2IO44N35 @paulmmueller Maybe, I never managed it in practice myself but it's certainly worth a shot
2/23
2020
@ianonhulk @sw33tLie It's not technically a false positive, but a misunderstanding of what's happening. For desync… https://t.co/RGRbrm9WNL @chasej @PortSwiggerRes It's the official talk title! Whether it started out as a typo, I have no idea. I prefer to… https://t.co/nn6uBTKMPB @sw33tLie Try the absolute URI trick mentioned on https://t.co/DUAhEEc4aQ or simply getting the victim request conc… https://t.co/cU2iAmOiEy @sw33tLie One major server gives that error when it sees two headers with the same name. @ohmarzing @thedawgyg @rohk_infosec @ausernamedjosh This scale is flawed - well known bug types can occur in ways t… https://t.co/fFxeURbw7F @tuyangtuangry Run param miner to see what headers are supported. Make sure you target each page individually.
2/21
2020
@ohmarzing @rohk_infosec @ausernamedjosh Here's one datapoint via @ajxchapman https://t.co/YJY3m2Rkxu PS I probabl… https://t.co/y0tFqucPpd
2/20
2020
In case you missed it...We've updated Hackability & Inspector. It now checks for differences in the Chrome object.… https://t.co/ziDzp1grRT
Retweeted by James Kettle
2/18
2020
@Voulnet Also documented here: https://t.co/ipkmyYcAsB You'd have thought Cloudflare might have patched it by now!Just in case anyone is upset about the ordering of the top 3... I should mention that they were all within 1 point… https://t.co/2dXDwj3Ho9With "Cached and Confused: Web Cache Deception in the Wild" taking the #1 spot, and @albinowax 's HTTP Desync Attac… https://t.co/z7X0mSBWfM
Retweeted by James KettleTop 10 new web hacking techniques of 2019 https://t.co/ZJno29OVIo
Retweeted by James Kettle
2/17
2020
@Backerich The community vote selected the top 15. The panel turned the top 15 into the top 10.
2/15
2020
The Top 10 Web Hacking Techniques of 2019 is nearly ready! The expert panel of @Agarri_FR @filedescriptor @irsdl… https://t.co/AAB5cjuqd8
Retweeted by James Kettle @Rebel_Caesar @fransrosen https://t.co/1107rpsxxh
2/14
2020
We've updated the XSS cheat sheet to include some new vectors and we have built a PDF version too.… https://t.co/peOmycw8Qb
Retweeted by James Kettle @SecurityMB Maybe tomorrow, maybe Monday.
2/13
2020
@c0d3G33k Soon ish @domchell That's odd, would love to have a full report on https://t.co/JTepQUSTia @domchell Yep, the code is case sensitive so just change 'Content-Length' to 'Content-length'New blog post! We've published a technique by @SecurityMB to leak data via CSS injection in Firefox with a single i… https://t.co/ze2PN3kYUk
Retweeted by James Kettle
2/12
2020
@ricardo_iramar I’ll give you one guess @TomNomNom @ITSecurityguard Do it @nicolasgrekas Oh cool you didn't have to, thanks.I wrote a blog post on my experiences during my first 12 months of full-time #BugBounty hunting. Check it out 👇 https://t.co/VKWHJnBumm
Retweeted by James Kettle
2/11
2020
An SSL bug leading to a self-inflicted HTTP desync attack, by @ericlaw. There's some crazy stuff out there! https://t.co/0xMcRxITvRWhat can possibly go wrong when two web apps talk REST to each other? 🤔 Security researcher @joernchen shows us: https://t.co/oyspQyBhc2
Retweeted by James Kettle
2/10
2020
@phspades It’s very similar to one of the case studies in the Cracking the Lens white paper
2/9
2020
@rudra16t Probably! But you can never really trust anything a server saysIf you've enjoyed our free web security labs, have some great ideas for new ones, and can work in the UK, please ch… https://t.co/CeRlks7mEN
Retweeted by James Kettle @Mi1So Definitely EQ. I can also assure you the interview process does not involve any IQ tests.
2/7
2020
DOM Clobbering strikes back by @garethheyes https://t.co/U9a5PrF3br
Retweeted by James KettleToday I presented a rough idea of a (brand-new?) data exfiltration technique with regular expression injection and… https://t.co/nZxa4ihbC3
Retweeted by James Kettle
2/6
2020
@testerofpen I meant in the Symfony advisory. It's not a big deal though. @ahack_ru @WebSecAcademy I reported it to Drupal, they reported it to Symfony/Zend and therefore I didn't get credi… https://t.co/afMBUaxnlk @ahack_ru @WebSecAcademy It was me the got the CVE for it...
2/5
2020
During his research into web-cache poisoning, @albinowax stumbled upon a new route-poisoning trick for systems buil… https://t.co/PfeUuCqNDU
Retweeted by James Kettle
2/4
2020
@julianor @Burp_Suite Yep you're right it shouldn't be on that page, but as described third parties turning evil is… https://t.co/78GzdCVcSH @julianor @Burp_Suite The CSP is because we want to mitigate XSS. Nothing to do with third parties. Maybe I misunde… https://t.co/QnybLpGTqZ @julianor @Burp_Suite We have disabled crazyegg's higher-risk features, and a trusted third party hypothetically go… https://t.co/cOCAmqjQ7A @julianor @Burp_Suite I wouldn't botherI miss chrome://cache https://t.co/73RrfhqnGL. At least Firefox's about:cache still exists. @ricardo_iramar This is automatically done by default. If you have further questions, the team between @Burp_Suite would love to help.
2/3
2020
@therealdudez Some fonts were causing performance issues so we whittled the list down @notsoshant @DafyddStuttard @524f464c It does bothI've been beta testing this update for a while, it's a good one :) https://t.co/3x8xNVhpIy @ericlaw The dotless domains feature was great for exploitation, so some people will miss it :) @filedescriptor @ngalongc @EdOverflow Nice work! I love the domain name too... @g33kyshivam @filedescriptor @ngalongc @EdOverflow If you didn't already see it, check out https://t.co/j8Cmga2c7x @ngalongc, @EdOverflow, and I are starting a new security blog. In our first write-up, we will discuss the impact… https://t.co/bU8Dmghf70
Retweeted by James Kettle
1/31
2020
@ganggangsincep4 That said, these days I use novel unpublished desync techniques because unless you do a serious am… https://t.co/wyyfGbWiNG @ganggangsincep4 I assumed you hadn't read that post because it answers the question of why the FP rate has changed… https://t.co/GmJgtYMuzs @ganggangsincep4 Refer to https://t.co/9k3GWIy8f8 for further info @ganggangsincep4 True positives get patched. False positives don’t.SVG animate XSS vector by @garethheyes https://t.co/CJUZikXhS7
Retweeted by James KettleMany thanks for all your votes! The community has spoken, and selected 15 nominees for the Top 10 Web Hacking Techn… https://t.co/r1cOx7PxrN
Retweeted by James Kettle
1/28
2020
@bugbounty_memes Thank @garethheyes for these ones!We've added 11 new XSS labs, with learning materials. There is new content on CSP, dangling markup injection, and e… https://t.co/q4gve62dPz
Retweeted by James Kettle @aroly I'll reveal it after the panel vote :)Did you know that the address '<a@b.com>c@d.com' when given to SES will send an email to a@b.com? this could lead t… https://t.co/NDPUsgPeDB
Retweeted by James Kettle
1/27
2020
10 Triaged Crit/P1, 1 Triaged High, 2 Triaged Medium. All of them HTTP Desync bugs in the span of 2 months (The cri… https://t.co/CQuCUncj8e
Retweeted by James Kettle
1/25
2020
HTTP Request Smuggler now supports overriding the request method! @eur0pa_ spotted that using an alternative method… https://t.co/vVKMYjrvIh @c0rv4x @samwcyo Sneaky, I love it! Thanks for sharing.This weekend is your last chance to vote for the Top 10 (new) Web Hacking Techniques of 2019! Voting closes Monday. https://t.co/l7iIgxC7SB
Retweeted by James Kettle @jonturk75_ @omespino That looks like the classic CC technique to me?
1/24
2020
@Serial_Pwny_Sec Either should work equally well.I once got 90% of a critical vulnerability in Mozilla Persona's password reset. 8 years later, it still hurts that… https://t.co/9RrkxKXZNjOk let's close the script. That can't possibly work right? <script> x = '<!--<script>' </script>/-alert(1) </script>
Retweeted by James Kettle @sec_for_safety There's a better way. If so few people know it, maybe I should do a blog post.
1/23
2020
@kkotowicz We need a third way of specifying how long HTTP request bodies are! @sec_for_safety 98% sure a Content-Type check can still be bypassed.
1/22
2020
You can find the reports here: https://t.co/gARlXzipkJ https://t.co/AvT2lZleML https://t.co/XTzPwaYS7G
1/21
2020
One of these entries introduces a fantastic technique that was widely overlooked when first released. Unfortunately… https://t.co/JnpFUUwVCB @pwntester Thanks for the research! I've made the link/title change. @Qab It was nominated about five times :) @leonishan_ I don't handle general Burp Suite questions - I'd suggest asking support@portswigger.net
1/15
2020
@nullfl0w This is completely different from the OWASP Top 10; it's for new techniques that came out in 2019. For mo… https://t.co/CzGLgOYD8V @antyurin Fixed! @antyurin Ack my bad, will do. For now I've added a comment on the video...I was hoping the list of nominations would be shorter this year, as I've pre-filtered weak entries and grouped simi… https://t.co/sNGgXSlCjgWe need your help to select the top 10 web hacking techniques of 2019! Cast your vote here: https://t.co/afIQArrKod
1/14
2020
Just posted Remote Code Execution in Three Acts: Chaining Exposed Actuators and H2 Database Aliases in Spring Boot… https://t.co/3g6I6B9wca
Retweeted by James Kettle @i_bo0om Added, thanks.
1/13
2020
This weekend is your last chance to nominate research for the top 10 new web hacking techniques of 2019. Voting be… https://t.co/yO07ORFiGM @ngkogkos @Duckhun04069471 Yes, as long as 'learn observed words' is toggled. They are saved in memory so closing b… https://t.co/34SsLW5Ruk @Duckhun04069471 I haven't used it but at a glance, parameth is more accessible if you're a command line type, but… https://t.co/IJvCDjelbD @ngkogkos @Duckhun04069471 It already does that. @Duckhun04069471 The tool was Param Miner. I hear it's served some other bounty hunters quite well: https://t.co/wFbqgN9Xzx
1/10
2020
It was still good fun of course - just be aware that when I play the 'I made $$$ with my new technique' game to pro… https://t.co/Pt1k6tMfGtIn 2017 I won a CTF, leading to an invite to my first HackerOne live hacking event. I flew to New York, landed in a… https://t.co/IxErAbRw1V
1/9
2020
For the sake of exercising, I looked up some web challenges in a #tetctf and noticed a cool SQLi one "Secure Syste… https://t.co/mBIDV9IOOv
Retweeted by James Kettle @CyberTheReapeR5 If you can't hijack requests that have no X-Forwarded-Host header, this is pretty much useless
1/8
2020
@CyberTheReapeR5 If I understand you right, you're saying the only URL you can hijack is /robots.txt? That may enab… https://t.co/y08BZth58Q
1/7
2020

0