I have not seen any public writeups about cache key injection. The only mentions I’ve found are the two examples from James Kettle in the original article. However, those bugs were in the CDN providers, not in the applications. Googling cache key injection only yields...
Server-side hacking techniques
State of DNS Rebinding in 2023
DNS rebinding is quite a complex and misunderstood topic yet it is a great technique for exploiting SSRFs. Roger Meyer from NCC Group wrote a very comprehensive article about the state of DNS rebinding in 2023 along with some recent vulnerabilities. I’m sure you will...
Ultimate 401 and 403 bypass methods
Klaudia from Vidoc Security wrote a blog post about various ways to bypass 401 or 403 status codes. I didn't know all of them. For example, I didn't know that in Spring Framework < 5.3, if you map your route to /admin, by default it will also be mapped to...
SSRFs caused by SNI proxy misconfigurations
SSRFs are one of my favourite bug classes and I’m always amazed to find out about new attack vectors for them. This week, I’ve learnt about exploiting SNI proxy misconfigurations, from a blogpost by Aleksei Tiurin:...
Preventing XXEs in Java is hard – analysis of 10 classes
You might think that preventing XXEs is easy. "Just disable external entities" would be my recommendation in a pentest report. However, Pieter De Cremer and Vasilii Ermilov from semgrep tested ten different XXE attack vectors on ten different Java classes,...
RCE in Aspera and approaching Rails source code review
Assetnote blogposts were always great because they would not only tell you what was the bug but also how they found it. They got even better now because apart from telling you what was the bug, how they found it, they now also tell you how you should look for similar...
Fuzzing the Web for Mysterious Bugs by @0xacb
Many modern applications rely heavily on regular expressions for input validation. In addition to validation, our payloads are also often sanitised and normalised. Although it would make sense to use the same process in all parts of a web application, the complex...
Abusing HTTP hop-by-hop request headers
I learnt recently that the Connection header can have other values than close or keep-alive. When you put a header name there, it should mark the header as hop-by-hop which means it shouldn’t be forwarded further by the reverse proxy. You can use it in some more...
A surprising characteristic of a Connection header and scaling 0days
This blogpost is soo good! It’s about cache poisoning on Akamai servers for which hunters eventually got over $50,000. There are two major takeaways for me. The connection header Take a look at this request. When I first saw it, I thought “WTF does the Connection:...
RFC-induced SSRF
Sometimes, we see an absolute URI in the first request line. I saw this trick being used a few times. For example, when exploiting request smuggling. It then sends the request to your server and not the one from the Host header. I never thought about why it works and...