Profile avatar
jameskettle.com
Director of Research at @portswigger.net Also known as albinowax Portfolio: https://jameskettle.com/
138 posts 3,929 followers 128 following
Regular Contributor
Active Commenter
Posts 29 Comments 21

In case you missed them, here are all the videos to highlight some of Hackvertor v2 features. www.youtube.com/watch?v=RV0L...

submitted 1 day ago • 0 comments

We're almost at 20 years of celebrating web hacking techniques. @jameskettle.com shares his favorites from 2024, the list's importance to the web hacking community, and what inspires the kind of research it highlights. List at portswigger.net/research/top... youtu.be/8XEK3NkbKOA?...

submitted 1 day ago • 1 comment

Black Hat have published my original CFP submission for "Listen to the Whispers: Web Timing Attacks that Actually Work". I put a lot of effort into this CFP to avoid being discarded as 'yet another timing talk' - you can find it in full here: i.blackhat.com/BH-US-24/cfp...

submitted 2 days ago • 0 comments

For me, Shadow Repeater is AI in web security done right - taking full advantage of the users' manual testing skills, and providing an extra edge on top without changing their workflow

submitted 6 days ago • 0 comments

We've just released Shadow Repeater, for AI-enhanced manual testing. Simply use Burp Repeater as you normally would, and behind the scenes Shadow Repeater will learn from your attacks, try payload permutations, and report any discoveries via Organizer. portswigger.net/research/sha...

submitted 6 days ago • 2 comments

We've just published Turbo Intruder 1.52 which fixes some bugs, and makes the response table silky smooth. PS there's something awesome coming from @portswiggerres.bsky.social tomorrow

submitted 7 days ago • 1 comment

@jameskettle.com casually dropping info on the craziest sounding AI-enabled burp extension. Can you imagine messing about with a suspicious LFI candidate in repeater and without you doing anything differently than you do today, burp suddenly spits back the right payload?

submitted 8 days ago • 1 comment

Catch the inside story on the Top Ten Web Hacking Techniques in my interview with the Application Security Weekly podcast youtu.be/8XEK3NkbKOA

submitted 8 days ago • 1 comment

AI Hackvertor! www.youtube.com/watch?v=Flg0...

submitted 12 days ago • 0 comments

Read my thoughts on how AI is going to transform web security testing, and how @portswigger.net is proud to be leading the charge. portswigger.net/blog/why-its...

submitted 12 days ago • 0 comments

Welcome to the next evolution of Burp Suite… 🚀 #BurpAI

submitted 13 days ago • 5 comments

I'm very happy to finally share the second part of my DOMPurify security research 🔥 This article mostly focuses on DOMPurify misconfigurations, especially hooks, that downgrade the sanitizer's protection (even in the latest version)! Link 👇 mizu.re/post/explori... 1/2

submitted 16 days ago • 2 comments

Per popular demand, Turbo Intruder 1.51 now inserts results at the top of the table so you can watch them arrive without scrolling! Let me know how you find it. If you prefer the old behaviour, you can change it back using: table.setSortOrder(0, False)

submitted 17 days ago • 2 comments

Thanks to the recent @portswiggerres.bsky.social top 10, I finally found the motivation to finish writing the 2nd article about DOMPurify security! 😁 Before releasing it, I would like to share a small challenge 🚩 Challenge link 👇 challenges.mizu.re/xss_04.html 1/2

submitted 19 days ago • 1 comment

We've updated our URL validation bypass cheat sheet with this shiny Domain allow list bypass payload contributed by dyak0xdb!

submitted 21 days ago • 1 comment

Last year, I committed to uncovering critical vulnerabilities in Maven repositories. Now it’s time to share the findings: RCE in Sonatype Nexus, Cache Poisoning in JFrog Artifactory, and more! github.blog/security/vul...

submitted 35 days ago • 1 comment

The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...

submitted 22 days ago • 2 comments

I’ve updated the bug bounty & content creators starter pack with classic research group @hackerschoice.bsky.social! Let me know if you’re not on this list and would like to be added. go.bsky.app/GD7hKPX

submitted 23 days ago • 4 comments

The panel has cast their votes and I'm writing up the results now, hoping to publish tomorrow. Looks like an outstanding top ten this year, and ranks 2-4 are extremely close!

submitted 24 days ago • 0 comments

Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique. portswigger.net/research/byp...

submitted 29 days ago • 0 comments

There's a certain 'harmless' quirk in a popular server that I've known about for over ten years but never found or seen a viable use for. Today, I used it to complete an exploit chain! I feel like I just solved the meaning of life 😂

submitted 30 days ago • 3 comments

During #x3ctf, I discovered an unintended solution that turned out to be a pretty cool generic technique. It allows you to detect the result of a selector during CSS Injection, bypassing any CSP restricting external requests! Check out the writeup below: jorianwoltjer.com/blog/p/ctf/x...

submitted 31 days ago • 1 comment

This year two new security legends have joined the top-ten expert panel - @liveoverflow.bsky.social and @stokfredrik.bsky.social! Excited to see what analysis & insights they bring to the top ten alongside long-time contributors @agarri.fr and @irsdl.bsky.social

submitted 34 days ago • 1 comment

Four years on, every time Jira goes down people still ask if it's my fault 😂 portswigger.net/research/htt...

submitted 35 days ago • 0 comments

Thanks for your all your votes! The public vote is now closed, and we're kicking off the panel vote with fifteen quality nominations. In the meantime we just published a new technique ourselves - check it out here:

submitted 35 days ago • 0 comments

24 hours remaining until voting closes on the Top 10 (new) Web Hacking Techniques of 2024! If you haven't already voted now's the time to do it. portswigger.net/polls/top-10...

submitted 37 days ago • 1 comment

Voting is now live for the Top Ten (New) Web Hacking Techniques of 2024! Browse the nominations & cast your votes here: portswigger.net/polls/top-10...

submitted 42 days ago • 0 comments

24 hours remaining to make your nominations for the Top Ten Web Hacking Techniques of 2024! I've just added another 20 nominations - looks like a record list size so I'll have to do a light quality filter before the voting stage to get the entry count down to a manageable level.

submitted 44 days ago • 2 comments

We've updated the nomination list with 14 new entries from the community - keep them coming!

submitted 48 days ago • 2 comments