caon

Hackers, To make our pricing fairer worldwide, we’re trying out localized pricing. We’re starting with Brazil 🇧🇷, with Individual plan prices dropping by about 50%. 💸 Monthly: ~110 BRL → 55 BRL 💸 Yearly: ~1,100 BRL → 550 BRL Which country should we do next? https://t.co/DMyhYUX9yb

How to find viable targets for client-side desync attacks: 1️⃣ Open Burp Suite and intercept requests. 2️⃣ Choose an endpoint that wouldn't usually expect a POST request (e.g GET) and send it to repeater. 3️⃣ Go to Inspector > Request Attributes > Protocol field > Upgrade to HTTP/2. 4️⃣ Send the Modified Request and look for this error message: "Server ALPN does not advertise HTTP/2 support"... 5️⃣ Enable ALPN Override in request settings and send again. If you see "Stream failed to close correctly" then you've confirmed that the server does not support HTTP/2 and is a valid target for desync testing! Want to learn more about desync attacks? On August 6, at Black Hat USA, James Kettle from PortSwigger Research will reveal new classes of desync attack that enabled him to compromise multiple CDNs and kick off the desync endgame! 😲 Stay up to date here: https://t.co/kr6SR4JOw3

If the origin server treats a delimiter, but the cache doesn’t and the cache normalizes paths before applying static directory rules you can leverage path traversal! Take this payload: /myAccount$/..%2Fstatic/any - The cache sees: /static/any - The origin sees: /myAccount The response for /myAccount is cached under /static/any and anyone that visits that static URL gets leaked data.