Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

A while back a major library whose whole existence was trying to figure out if an IP was internal or external was found out to be broken. It turns out that parsing IP addresses is MUCH more complicated than one would think! Besides 127.0.0.1, this could be encoded as 127.1, 0177.0000.0000.0001, 2130706433 and many others that I am missing.

This discrepancy was caused by a parsing mistake in treating octal (base 8) as decimal (base 10). They accidentally created a vulnerability (on the first fix) that parsed hexadecimal (base 16) integers as octal!

An additional issue was that parseInt in JavaScript will strip out all whitespaces characters. Using this parsing, it could have been possible to bypass the filtering in some way.

Although improper parsing of IP addresses does not seem like a big deal, it really is. Protections for attacks such as server-side request forgery (SSRF) and local file inclusion (LFI) rely on some library to filter internal endpoints. Being able to circumvent this is a huge deal. I have a feeling we have not seen the end of this bug!