Summary of "Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 - James Kettle - ASW #380"
Summary (Application Security Weekly #380)
- James Kettle (PortSwigger/Burp researcher) discusses “Top 10 Web Hacking Techniques of 2025” and why the results reflect the community’s creativity and research culture. He describes the “top 10” as primarily human-driven, noting that LLM-driven “buzz” producing high-quality novelty was only really taking off later—around January, in his view.
LLMs are changing research, not replacing it
- Kettle argues AI makes it easier to start research (e.g., reducing/tooling time), but AI alone isn’t enough to reliably generate true novelty that survives expert review.
- He emphasizes that AI-assisted research can still produce novel discoveries, but only when researchers build a carefully designed “harness”—a workflow/tooling/methodology around the model.
- Without that harness, AI outputs can be incorrect or not genuinely new, including cases where the model mistakes previously published ideas as novel.
Community incentives remain strong despite AI ingestion concerns
- Many researchers continue publishing because they “owe something” to the community that taught them—even as AI threatens to compress competitive advantage.
- Kettle predicts more people will attempt novel research in 2026, since the bar to experimentation is dropping (less upfront effort to build tooling).
- He also expects new entrants into the space.
Themes highlighted from the 2025 “top techniques” discussion
- LLM absence in the 2025 top 10: LLM techniques weren’t prominent at that caliber in 2025, though they may influence later lists.
- HTTP desync / request smuggling ecosystem: A major component of Kettle’s background and an ongoing driver of protocol-level research.
- “ORM leaking more than you joined for”: Presented as a modern successor to SQL injection in spirit—frameworks that patched older issues (e.g., safer query patterns) can still introduce new exploitable power/behavior.
- Exploitability in “known” classes still exists: Kettle pushes back on the idea that categories like XSS or SQL injection are fully exhausted, arguing they can still be researched—particularly as techniques evolve via drivers, encoding, protocol behavior, or edge cases.
Tooling + harness beat “one great prompt”
- Kettle rejects the notion that a good prompt plus basic network access (e.g., “pretend to be James, run curl”) is sufficient.
- For high-impact novelty, he stresses engineered harnesses and methodology.
- He reports little performance variance across models once the harness and evaluation approach are in place—suggesting the workflow matters more than the exact model.
Managing research volume and automation tradeoffs
- He describes an “overwhelming” stream of AI-generated research leads.
- This drives pressure to automate parts of the pipeline—especially writing/reporting—even if that automation is “boring,” because manual review can’t keep up.
Safety and “dangerous by design” experiments
- Kettle jokes that his system was built “to be dangerous,” not safe.
- He mentions incidents where systems became disruptive enough that someone else unplugged a server mid-exploitation.
- While he frames the work as open-source/educational, he warns it is not a product and should not be run casually on internal systems.
How defenses are evolving (and creating new surface area)
- Classic vulnerability rates may decline (e.g., XSS/SQLi) partly due to safer framework defaults like prepared statements.
- But modern frameworks also add complex features and new attack surfaces (including behaviors related to caching and headers in ecosystems like Next.js).
- He notes some frameworks have been “red flags” in his experience, leading him to switch away to other options.
CTFs and “why it works” narratives remain valuable
- Kettle defends CTFs as a source of research momentum and a way to teach discovery pathways.
- He emphasizes the importance of explanatory writeups and validating results to ensure they’re real—not hallucinations or false positives.
- He highlights a recurring research mindset: “What if it’s not the expected case?” (e.g., redirect-loop counts, curl “magic numbers” like defaults).
Black Hat 2026 tease
- He hints at exploring whether AI can perform novel research end-to-end.
- His upcoming summer Black Hat work will share the blueprint/system approach, with details intentionally withheld during the podcast.
Forward-looking expectations for the next “top list”
- He hopes for a mix of:
- CTF-style discoveries
- Info leaks
- Framework attacks
- More white-box findings
- And he wants to preserve the space for human creativity—including results that “make no sense, but works.”
Closing: HTTP/1 “death” timeline
- Kettle predicts HTTP/1 will take a very, very long time to fully die, framing the change as slow—similar to how historical protocols were deprecated.
- He jokes it may persist “maybe just after IPv4.”
- His goal is to encourage treating HTTP/1 insecurity with the same seriousness as missing HTTPS/TLS.
Presenters / Contributors
- Mike Shima (host)
- James Kettle (guest; PortSwigger / Burp Suite researcher)
Category
News and Commentary
Share this summary
Is the summary off?
If you think the summary is inaccurate, you can reprocess it with the latest model.
Preparing reprocess...