About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mass account takeovers using HTTP Request Smuggling on Slack- 163

Evan CustodioPosted 6 Years Ago
  • First off, just an amazingly descriptive report with great diagrams and explanations. This is what a report should look like.
  • HTTP smuggling is when two servers disagree on how to interpret requests. One server would use the Content-Length header while the other may use the Transfer-Encoding header. Because the two servers interpret the requests differently, this results in potential request altering!
  • Even though the bug is everywhere, it is not a trivial bug to exploit currently. This report is an awesome example on how to exploit it though.
  • The exploitation is done by forcing a redirect (because a GET request is made) to the backend server. This redirect can then be poisoned with the attackers choice of URL. Because these requests are redirected (with the cookies), the cookies can be stolen. Hence, this leads to an account takeover vulnerability.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed