Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Github is the most popular location to store code. With the amount of features that Github offers, there is likely a plethora of bugs waiting to be discovered. On their Bug Bounty page, if you can read the flag of flag.private-org.github.io without user interaction (10K) or 5K with user interaction.

The first issue was a CRLF injection on a URL parameter being added to a cookie. Because newlines could be injected into the cookie value being appended, the HTTP headers could be manually altered. The trick for this was a NULLBYTE encoding in order for the integer to be parsed properly.

Using the bug above, XSS was possible and put onto the private page. Although this is impactful, there is a random nonce value that needs to be known as well.

To bypass the nonce check, the author decided to play. The __Host- prefix cookie flag is a security check that makes sure that cookies cannot be overwritten from different subdomains; this was included on the Nonce.

Because the author had code execution on the one page, they could set the cookies lower down on the subdomain chain. However, this is the exact attack that the __Host- prefix is meant to protect against!

The Github private pages server ignores capitalization and the browser does not! So, it was possible to overwrite the value of this cookie using a different named version of the cookie.

An additional bug was that the caching was done for the pages solely based upon the page id. Because of this, we could poison the response of the cache to perform an XSS whenever this page was viewed, without ever clicking on a link.

Most of these vulnerabilities were subtle issues A) people don't check for and B) do not seem relevant. Amazing writeup!