HTTP is stateless. Repeat after me. Oh wait. Someone put the kettle on and he's about to show how this isn't exactly the case. This topic scared James so much that it nearly put him off researching it. pic.twitter.com/IMvlgqSUCT

Can I just say how DAMN refreshing that James starts off with a side no-one talks about: the fear we all have of the subject and failures along the way.

Now we all know RFCs right? RFC 2616 #4.4.3 says that if you get a message with both transfer-encoding AND content-length, the latter MUST be ignored. But who reads the docs??

The Kettle Break The Web© methodology. it's based upon timing and on influence. pic.twitter.com/avax1zhRkO

Ok Jesus wept bugbounty crowd, stop DMing me. Here's the simple trick. Buy a copy of @PortSwigger and support Daffs growing fancy shirt collection pic.twitter.com/W9GtfcKbop

Attack one: bypassing front-end rules pic.twitter.com/aPOnWqcxgM

Attack two: request reflection Cool thing here is that the request gets concatenated onto the other POST login request. That's sexy af! pic.twitter.com/NqWeQ1B4lr

The X-Forwarded headers are so misunderstood and at the same time so widely used. pic.twitter.com/aRFCC89NDQ

PSA: F5 didn't seem to think that this was enough to issue a patch but just an advisory. pic.twitter.com/n96u43N4dq

When James says "accidental" and "cache poisoning" and then making many accessing a well-known homepage automatically hit the burp collaborator, to grab an image Accidental, pfft pic.twitter.com/SXrsnpnP7U

He is the Dwayne Johnson of infosec and bug bounties. Such a baller pic.twitter.com/0O0kssUN5J

The demo video truly shows how friggin amazing this research is and has earned him over 90,000 USD. Seriously I couldn't be more of an appsec fanboy at this moment in time pic.twitter.com/2oCpk3bMZD

The defensive side is actually the most important. We really need to push adoption of HTTP/2 overall. Many said WAFs solve this, no no no they will only ever be bandaids. pic.twitter.com/mGZGkBvqxG