Critical Thinking - Bug Bounty Podcast Episode 139: James Kettle - Pwning in Prod & How to do Web Security Research
13 snips
Sep 11, 2025 James Kettle, Head of Research at PortSwigger and expert in web security, shares insights on critical vulnerabilities and innovations in the field. He discusses the complexities of HTTP, expressing why he believes HTTP/1.1 should be phased out. Kettle explores strategies to prevent burnout in research, emphasizing the balance between autonomy and team dynamics. The conversation also highlights the evolving role of AI in web security and the importance of clear objectives for effective vulnerability research.
AI Snips
Chapters
Transcript
Episode notes
Accidental Pause-Based Desync Discovery
- James discovered a pause-based desync by accident while scanning thousands of sites with different timeouts.
- He spent two weeks building a man-in-the-middle testbed and briefly broke TLS on Apache to prove the concept.
Use Deadlines To Focus Research
- Give yourself a schedule and clear deadlines to reduce stress and focus research.
- Use CFP deadlines (e.g., Black Hat) as effective timeboxes for delivering research.
Two-Layer HTTP/2 Representation
- Represent HTTP/2 at two abstraction layers: a familiar HTTP/1 view and an accurate under‑the‑hood inspector.
- Use the inspector to manipulate pseudo‑headers and protocol specifics when needed.