Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Many attack vectors focus on the difference between either the verifier and the user or many different points in the chain interpreting the same data. Recently, HTTP Smuggling and Web Cache Poisoning.

The author of this article was trying to find issues relating to different points interpreting data improperly at different points. They decided to focus on Flask, Bottle and Tornado, which are popular web frameworks.

The author noted that the URL parsing of these libraries were different. After discussing with members of the open source community, they were lead to the standard Python library calls. In particular, urlparse in Python.

The urlparse module treats semicolons as a separator. However, most modern proxies only treat ampersands as separators. Practically, an attacker could separate query parameters using a semicolon (;) where one server would see multiple query parameters while the other would see one less.

For instance, the parameters ?link=http://google.com&utm_content=1;link='>alert(1) HTTP/1.1 would see 3 query parameters: link, utm_content and link. However, modern proxies would only see link and utm_content. Neat! Cache desyncing!

The author created a pull request into CPython. This led to a change in Python 3.9 that the ; (semicolon) is not a separator anymore. The original W3C specification for URLs allowed semicolons as separators. However, more recent recommendations change this to only allow an ampersand as a separator.

Overall, fairly good article but I wish more details were given. Issues between steps like this one are not going away any time soon!