James Kettle

James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on design of the new Burp Collaborator system for identifying and exploiting SSRF, asynchronous blind code injection and out-of-band attack delivery. James has extensive experience vulnerability bounty hunting across Mozilla's and Google's heavily secured infrastructure, resulting in being ranked 6th in Google's 0x0A list for 2012/13. As part of this he has performed security research culminating in novel attack techniques, such as abusing the HTTP Host header to poison password reset emails and server-side caches, affecting numerous ubiquitous web frameworks including Django, Drupal, Symfony and Joomla. Other contributions to the field include 'formula injection' -tricking websites' CSV export functionality into delivering spreadsheet software zerodays and exploiting ill-defined trust boundaries.

Appearing at:

Server-Side Template Injection: RCE for the Modern Web App