Subscribe Share Full episode and show notes Application security , AI/ML , Bug Bounties Top 10 Web Hacking Techniques of 2025 and a Hint for 2026 – James Kettle – ASW #380 Portswigger’s list of web hacking techniques is a long-running celebration of curiosity and research from the web hacking community. James Kettle shares his thoughts on the entries from 2025 and how he expects LLMs and agents to influence what the list will look like for next year. He also shares some insights on using LLMs for his own blackbox research, giving us a peek into the work he’ll be sharing at Black Hat USA this summer. Resources https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 https://blackhat.com/us-26/briefings/schedule/index.html#can-ai-do-novel-security-research-meet-the-http-terminator-51894 April 28, 2026 Full Segment Notes Portswigger's list of web hacking techniques is a long-running celebration of curiosity and research from the web hacking community. James Kettle shares his thoughts on the entries from 2025 and how he expects LLMs and agents to influence what the list will look like for next year. He also shares some insights on using LLMs for his own blackbox research, giving us a peek into the work he'll be sharing at Black Hat USA this summer. Resources https://portswigger.net/research/top-10-web-hacking-techniques-of-2025 https://blackhat.com/us-26/briefings/schedule/index.html#can-ai-do-novel-security-research-meet-the-http-terminator-51894 Guest James Kettle Director of Research at PortSwigger @albinowax James ‘albinowax’ Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He’s best known for pioneering novel web attack techniques, and publishing them at major conferences like Black Hat USA, at which he’s presented for nine consecutive years. He also loves exploring and advising on innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner. His best-known research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning. He’s also the designer behind many of the topics and labs that make up the Web Security Academy, and serves on the Black Hat Europe review board. Host Mike Shema https://dangerouserrors.com List of Articles Mike Shema We Asked Claude to Audit Sagredo’s qmail. It found a RCE. The key to vuln research seems more about having a strong toolchain for your agents. We probably aren't close yet to a world where disclosures are nothing more than prompts (which any agent can then turn into the intended vuln report), but LLMs are clearly demonstrating value in code analysis. Also, kudos for including the commit that fixed the vuln. It's always educational to see code before and after a flaw. PyPI has completed its second audit – The Python Package Index Blog Welcome attention to keeping package platforms secure. But what really caught my eye was the dev's reaction to the single highest-severity flaw, "...irony is that we already had the correct pattern elsewhere in the codebase." That feeling of having made one mistake where other similar code is secure has surely been felt by developers far and wide. Vercel April 2026 security incident The breach stems from another vendor: https://context.ai/security-update . What stood out to me is how easily this could be almost any other breach, "[A] is not a [B] customer, but it appears at least one [A] employee signed up for the [B] ...using their [A] enterprise account and granted “Allow All” permissions." The big question for me is how access is controlled to sensitive systems, especially those with customer data, and whether that could have been further refined (without sacrificing UX) in a way that would have mitigated an employee downloading a malicious file. The zero-days are numbered | The Mozilla Blog There's a lot of free marketing that Anthropic is getting from Mythos. I'd love to know more about the details of these 271 vulns, specifically the classes they fall into. Second would be whether the LLM generated patches and, if so, what devs thought about the quality of those patches. But Mozilla notes that, "So far we’ve found no category or complexity of vulnerability that humans can find that this model can’t." And tempers that with, "Encouragingly, we also haven’t seen any bugs that couldn’t have been found by an elite human researcher." Orchestrating AI Code Review at scale This is as much about creating an architecture for handling efficient code reviews as it is about the benefits of LLMs. What made this stand out for me was the nod to economics of agent-based reviews, both in time and token cost. The overall design seems to be an indicator that model choice is important, but not at all restricted to the cutting edge offerings from OpenAI and Anthropic. Of course, I also appreciate that the security reviewer agent looks for, "Injection vulnerabilities (SQL, XSS, command, path traversal)" Google Online Security Blog: Protecting Cookies with Device Bound Session Credentials The work dates back to 2024, but the feature is finally coming to mainstream builds. I wanted to highlight this as example of secure design that addresses a gap in secure authentication flows -- what happens after a phishing-resistant authentication mechanism gets handed off to a session cookie? Rather than raise even more awareness about phishing, it's nice to see a design-based approach that should further dampen the success of credential theft and account takeover. Show More Stay in the Know, No Smoke and Mirrors – Join Our Newsletter Get expert insights and technical breakdowns straight to your inbox. Join Now Related Segments Application security The Human Aspect of Red Teams – Brian Fox, Tom Tovar, T. Gwyddon ‘Data’ Owen – ASW #379 Vulnerability Management Zuckbot, Rockstar, Klaude, Browsers Galore, Microsoft 365, ATC, Kieran Human and more – Kieran Human – SWN #572 Application security Securing Software’s Journey with the OWASP SPVS – Cameron W., Farshad Abasi, Rohan Ravindranath, Ido Geffen – ASW #378 Related Content Application security ‘AiFrame’ browser attacks continue with fake authenticator, converter extensions Ransomware UNC6692 impersonates help desk employees to drop SNOW malware via Teams Supply chain Checkmarx supply chain hack impacts Bitwarden CLI You can skip this ad in 5 seconds