Olivia
Online
pyn3rd
@pyn3rd
Security researcher with over 10 years of experience in application&cloud security. Speaker at BlackHat, HITB, CanSecWest and TyphoonCon.
Melbourne, Victoria
Joined February 2016
712 Following
14.9K Followers
1K Posts
I know that for sure. However, even when a Content-Length header is present, inconsistencies in the Content-Type header can still create problems. Some WAFs, such as F5 BIG-IP, may treat such requests as protocol non-compliant and refuse to forward them to the upstream application.
The concern is that with this type of “chaotic” request, forwarding it can introduce security risks regardless of whether the WAF chooses the first or the second interpretation.
For example, if the WAF parses and validates the request as application/x-www-form-urlencoded while the upstream application interprets it as application/json, discrepancies in request processing may arise, potentially leading to security issues. The reverse scenario is equally problematic.
@pyn3rd That's correct but it's missing the content length because the focus of the post was the duplicate headers. It's not meant to be used verbatim.
Regarding the ApacheMQ vulnerabilities we reported, one was dismissed as not a security issue because its root cause lies in Xstream, which now whitelists only java.lang.String for deserialization.
This post strongly warns you about configuring systems in untrusted environments.
Apache ActiveMQ is having a rough month. Two more CVEs.
⚠️ CVE-2026-42253 - HTTP Response Header Injection via JMS Message Properties
⚠️ CVE-2026-42588 - RCE via Jolokia addNetworkConnector
The Jolokia one is the scary one - default access policy permits exec operations on all ActiveMQ MBeans.
Fix: upgrade to 5.19.7 or 6.2.6.
https://t.co/ZKW1C9Wye2
This kind of abnormal HTTP request is related to protocol compliance with the RFC specifications. For example, Akamai WAF even rejects POST requests that do not include a Content-Length header.
POST /api/update HTTP/1.1
Host: https://t.co/poBhv0Qu9i
Content-Type: application/x-www-form-urlencoded
Content-Type: application/json
{"test": true}
Trivial to locate an exposed MBean in Apache Karaf’s Jolokia endpoint that allows loading a malicious remote JAR, resulting in RCE.@TheLaluka
If you have any Log4Shell obfuscated variants for WAF bypass, please let me know — my detection approach can normalize and reconstruct all of them😆
https://t.co/9E1lgA9tuA
Hey bug bounty hunters 👋Apache log4j is not dead. Before you skip Apache log4j targets in 2026 — read this : https://t.co/tJ5lHaoFcv
We documented exactly where, how, and how to report it clean.Drop everything and read:
#BugBounty #Log4Shell #BugBountyTips
@steventseeley You make my day!
@matthias_kaiser Thank you as always.
Amazing vibe! Really impressive experience !
@m01e_exp Sure! I will publish it very soon:-)
@m01e_exp To be honest, ClickHouse-related components.
@mdisec Hope to collaborate with you next year!
Just arrived in Seoul for @typhooncon!
Not only is this my first time attending the conference, but it’s also my first time in Korea. Really loving the vibe already! 🇰🇷
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.8M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers