Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Smuggling Through the Front Door... Achieving 0-Click XSS with Cache Poisoning
d3d - Malicious GroupPosted 12 Days Ago- When triggering a
400 Bad Requestpage, the Host was included in the HTML. If a malicious host were used, this would lead to XSS. By itself, this isn't exploitable because it requires things that aren't possible in the browser. They previously had reported an HTTP smuggling issue on theContent-Lengthheader when two spaces were included and went down a similar path in this report. - This time, they used a
Content_Length: 81; notice the_in the header. This sometimes worked with a regular Content-Length header too though. This caused a desync between two parsers, again. By adding<IMG SRC=# onmouseover="alert(document.domain)">as theHostheader, the XSS would trigger on a smuggled request. - This XSS is zero-click because it was poisoning other users at will. To make matters worse, this is a hosting platform and NOT just one website. Again, they were awarded $10K for the bug, as with the previous one.
- "The important lesson for researchers is similar: when you find a desync primitive, test more than one sink." I found the article interesting because of the non-traditional exploit route that they found. Additionally, they pushed through the first patch to make the exploit worse too. Great read!
