Conflicting HTTP headers can confuse servers and expose serious flaws.
Here's how HTTP request smuggling vulnerabilities arise 👇
1️⃣ Dual HTTP headers conflict
HTTP/1 allows both Content-Length and Transfer-Encoding. If both headers are present, spec says to ignore Content-Length. But in systems with multiple servers, one might process it anyway, creating ambiguity. This is the root of many request smuggling attacks.
2️⃣ Chunked encoding fundamentals
Chunked encoding splits the message body into size-labeled chunks. Each chunk starts with its size in hexadecimal, then its content. A chunk size of 0 marks the end. This technique is rarely used in requests but often appears in server responses.
3️⃣ Obfuscated headers create parsing mismatches
Not all servers handle Transfer-Encoding, especially if it’s obfuscated. Even compliant servers may misinterpret altered headers like Transfer-Encoding: chunked. This leads to mismatched parsing between front-end and back-end.
4️⃣ Downgrading from HTTP/2 reintroduces risk
HTTP/2 eliminates smuggling by using a unified message length mechanism. But many systems convert HTTP/2 requests to HTTP/1 before reaching the back-end. This downgrade can reintroduce dual-header ambiguity and request smuggling risks.
5️⃣ Exploitation path: how smuggling works
An attacker crafts a request with both headers. The front-end sees a short request, the back-end sees more. This smuggled request bypasses filtering and executes as valid. It’s a powerful method to bypass defenses.
Ready to try this out for yourself? Start here: https://t.co/zGg7iOMsd0
💥New Ep 158: "MalwareTech"💥
👀 He finally tells all.
You're not going to believe it. I've been waiting for this one for a long time. I'm so happy it's finally here.
https://t.co/NcHSd8dFBh
Have had an unhealthy, borderline autistic obsession with looking for SQL injections lately. November being another case in point with nearly $30k worth of them across a few targets.
Something about them just call to me.
Wish I had some sick tip to share for them but there was nothing fancy about them, just maniacal use of ffuf, shortscan (for IIS servers), paraminer and manual poking around.
What I can say is when you are using ffuf be sure to -mc all and just let her rip raw like that (don't use -ac it's a noob trap). You will get a ton of false bs results at first, but then you start filtering with -fs to get rid of them and you'll probably start seeing interesting shit pretty quickly.
Fuzz for extensions intelligently, based on the web server (don't search for aspx on apache or php on IIS etc). I use ffuf for this too (/directory/FUZZ.aspx). Try to think like a dev and try stuff like /directory/testFUZZ or FUZZtest etc to find the really weird stuff.
Don't use some absurd wordlist full of garbage like 99% of them are. Use something simple like samlists directories or some of the assetnote one's. I also throw in target specific keywords or directories into my wordlists as well.
Cool I think I'm done ADHD brain-dumping on this post now bye.
#bugbounty
who wants to do @tryhackme's advent of cyber? i've so enjoyed it the past few years, would be fun to put together a group to do it. https://t.co/Ak2YdlNlf9
i've seen a lot of people affected by the bad job market at the moment, especially in cyber. is your company hiring? looking for talent? post links here, let's start a job hunter megathread and get some people into awesome roles!
When bug bounty hunting, assume you are blocked by a WAF.
What are the common ways you can evade WAF and continue hunting?
Curious to know?
Checkout this thread 👇🧵