PortSwigger Research
Novel web attack classes and HTTP protocol exploitation

PortSwigger Research doesn’t just find bugs; they define new classes of vulnerabilities. Their work fundamentally changes how the industry understands the relationship between web servers, proxies, and browsers.
Why Follow This Blog
PortSwigger Research doesn’t follow trends–they create them. When James Kettle publishes research on a new vulnerability class, it becomes required reading for the entire web security community. Their methodical approach to discovering architectural flaws in the web’s foundational protocols provides a masterclass in creative security thinking.
Key Topics Covered
HTTP Desynchronization
- Request Smuggling: CL.TE, TE.CL, and TE.TE variants
- HTTP/2 Downgrade Attacks: Exploiting protocol translation
- Browser-Powered Smuggling: Client-side desync techniques
- Response Queue Poisoning: Corrupting server response handling
Web Cache Attacks
- Cache Poisoning: Unkeyed input exploitation
- Cache Deception: Tricking caches into storing sensitive data
- CDN Vulnerabilities: Attacking global content delivery infrastructure
- Cache Key Normalization: Exploiting URL parsing differences
Server-Side Attacks
- SSRF Techniques: Advanced server-side request forgery
- Template Injection: RCE through template engines
- Prototype Pollution: JavaScript object manipulation
- Parameter Pollution: Exploiting parser inconsistencies
Client-Side Research
- DOM Vulnerabilities: Advanced DOM-based attack vectors
- Postmessage Exploitation: Cross-origin communication attacks
- Browser Parsing Quirks: Exploiting browser-specific behaviors