Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Smuggling Through the Front Door... Achieving Global Redirect Poisoning at the Edge
d3d - Malicious GroupPosted 12 Days Ago- This article contains a story about an HTTP smuggling exploit. I enjoy that the article doesn't just say "HTTP smuggling here" but shows how they actually found and then eventually exploited the issue.
- When testing
test.signup.[redacted].org, it always made a redirect tohttps://test.signup.[redacted].org/. When creating a malformed POST request with aContent-Lengththat had two spaces before the number, they noticed some weirdness. Given this weirdness, they were curious if they could poison the redirect on the domain with an attacker-controlled one when another GET request followed the malicious one. - To test this, they setup a tab group in Burp Suite with the same request three times. The first one was the victim request. The final two contained the malformed POST request. Occasionally, the victim GET request would be poisoned by the POST requests when
Send groupwas used. To test this further, they used a remote VPS and poisoned it simultaneously to demonstrate the impact. - While testing, if they smuggled in a redirect to a request NOT owned by Azure Front Door, then a Page Not Found error was given. This meant that the smuggled value was being handled by Azure's routing layer. So, they created their own Front Door application to route to that instead. Using this, phishing would be very smooth to do. They were awarded $10K for the bug.
