From now until Christmas, I will try to share something from my notes / research every day - most of them are old but might still be useful to remember #XMas2020 #AppSec #Web #HTTP
"max-forwards" http header:
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header
Some usage example:
old: https://securiteam.com/securityreviews/5yp0l1fhfc/
old: counting servers (proxies) in the middle
new: https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
- limit the number of proxies a request can traverse.
- not hop-by-hop
- can't go in the Trailer header
Some usage example:
old: https://securiteam.com/securityreviews/5yp0l1fhfc/
old: counting servers (proxies) in the middle
new: https://portswigger.net/research/cracking-the-lens-targeting-https-hidden-attack-surface
In something like JS
/*/ comment /*/
is the same as
/* comment */
, makes sense, right? But MSSQL sees it as
/* comment /*...
more interestingly, if you want to close it, you need 2 */
This is important when injections go into multiple places and newline is involved!
/*/ comment /*/
is the same as
/* comment */
, makes sense, right? But MSSQL sees it as
/* comment /*...
more interestingly, if you want to close it, you need 2 */
This is important when injections go into multiple places and newline is involved!
App blocks %0D%0A? we try %0A or %0D or %u2028 or %2029 (using correct encoding).
But also remember to try things like this especially if you are dealing with Java:
%C0%8D%C0%8A
%c4%8a
%EA%A8%8A
Find why & more using https://r12a.github.io/app-conversion/ and https://www.compart.com/en/unicode/search?q=separator
But also remember to try things like this especially if you are dealing with Java:
%C0%8D%C0%8A
%c4%8a
%EA%A8%8A
Find why & more using https://r12a.github.io/app-conversion/ and https://www.compart.com/en/unicode/search?q=separator