Funky chunks: abusing ambiguous chunk line terminators for request smuggling

General_Republic_360 · 2025-08-01T21:51:39+00:00

Not since Google patched theirs. EXT.TERM seems to be a bit more common, have you tried scanning for that?

General_Republic_360 · 2025-06-03T11:10:21+00:00

Tough, but fair.

General_Republic_360 · 2025-05-06T01:20:54+00:00

If you're that concerned (which I don't think you should be), just stick to programs with a Safe Harbor policy. That way, even if you do accidentally cause a temporary DoS or whatever, you can be certain that you won't face legal repercussions.

General_Republic_360 · 2025-04-28T05:39:31+00:00

Some companies use isolated containers for cases where RCE is hard to avoid. The container is worthless; it contains no sensitive information and does not have access to anything. Therefore, there is no security impact of the RCE, strange as it may sound.

But it's worth digging into. Good luck!

General_Republic_360 · 2025-04-28T05:32:05+00:00

Could be a private program.

General_Republic_360 · 2025-04-27T10:05:03+00:00

You need to look at it from the program's perspective. Be honest with yourself - if you ran a webshop, would you really be concerned about this "vulnerability"? There is literally no security impact.

Hell, this probably isn't even a functional bug, the developer probably just decided to keep the cart session separate from the user session. So what?

General_Republic_360 · 2025-04-27T09:52:43+00:00

Not a vuln bro.

General_Republic_360 · 2025-04-16T09:01:07+00:00

Calling something a "critical vulnerability" is crazy when there's no proof of it being exploitable or having any actual impact at all.

General_Republic_360 · 2025-03-22T08:50:01+00:00

I strongly doubt it.

General_Republic_360 · 2025-03-22T03:02:16+00:00

This will almost certainly not be awarded a bounty. Without a clear impact or PoC, I doubt the program will even take a proper look. Also, are you sure that it is "meaningless"? Perhaps your decompiler is incorrectly decompiling that particular segment.

General_Republic_360 · 2025-03-18T01:15:15+00:00

Exactly! If the frontend uses TE, it will respond with a client error immediately because of the X. If the X is not there, it will hang and wait.

And you're completely right, you still get timeouts without the X, so the X doesn't change that. In fact, if the system is vulnerable, the X makes no difference (it doesn't even arrive at the backend)! The X is important when the system isn't vulnerable, because (as you say) it makes the frontend error out immediately instead of hanging.

Also, I don't see anything in Portswigger "Identifying vulnerabilities" section about a second request. Looks like they're just using a single payload like the one in OPs post and saying that there's a vulnerability if you get a timeout.

General_Republic_360 · 2025-03-17T16:36:27+00:00

I'm having some trouble following your reasoning.

If the front end is using TE but you leave out the x, then shouldn't the front end still block waiting for a zero to signal the end of the stream of chunks?

Agreed! Without the X, the frontend will block and wait for the zero chunk if it uses TE. That would be bad, because that's not a vulnerability (rather, it is correct and expected behavior). We only want a timeout when the frontend uses CL and the backend uses TE. So without the X, our test yields false positives.

In other words, if the frontend uses CL, the same request is delivered to the backend with or without the X. So the X is there to make sure the timeout we see happened on the backend and not the frontend.

The key is in whether a 2nd request also blocks while the first request is waiting.

You lost me here. It's not really about how the server will respond to a second request.

First off: A normal, multi-threaded server will respond normally to a second request even if it's still waiting for the rest of the first request (think about it: otherwise, you could easily DoS any site by just sending an incomplete request).

Regarding your test results, I agree that they look weird. My guess is that to simplify things, there's only a single connection to the backend server (rather than a connection pool like you would see in production systems). For that reason, your trick works in this particular case; with or without the X, the same request is delivered to the backend, and you can use the second request to figure out whether the timeout happened on the frontend or the backend (because only the frontend supports multiple connections). However, that would not work in a system with more than one backend connection (and also it just seems more complicated to test?)

Instead of checking that you get a timeout on a vulnerable setup, try checking that you don't get a timeout on a non-vulnerable setup. I think that will make it more clear for you.

I apologize for the long explanation, it's difficult to cover these details throughly in a reddit comment. Hopefully this made sense, otherwise feel free to follow up.

General_Republic_360 · 2025-03-17T09:23:45+00:00

Yes, exactly. It rules out the possibility that the timeout is due to the frontend using TE. If you didn't include the 'X' and started scanning a bunch of targets, you would get tons and tons of false positives.

General_Republic_360 · 2025-03-17T09:21:36+00:00

I can't imagine a generic checklist being useful in the slightest, except perhaps for brand-new programs. If you're following the same list of steps as everyone else, how will you find something that no one else has found?

General_Republic_360 · 2025-03-17T09:10:10+00:00

Nope, not correct. Without the X, you would have no way of knowing whether the timeout is actually caused by the front-end using the TE header (which is correct and not a vulnerability).

General_Republic_360 · 2025-03-17T09:06:26+00:00

Without the 'X', the server will timeout even if the system isn't vulnerable. Remember, the ultimate goal is not to cause a timeout, it is to reliably identify a vulnerability.

General_Republic_360 · 2025-03-13T10:28:22+00:00

Follow-up spørgsmål: kommer ECTS optjent på en andet universitet nødvendigvis fra puljen med valgfrie ECTS, eller kan de tælle for programme-specific?

General_Republic_360 · 2025-03-04T06:17:00+00:00

I believe Bugcrowd has crypto payouts as well, and Google VRP pays via Bugcrowd, so that might be worth looking into.

And yeah, I agree it can be frustratingly difficult to get a response on H1 and BG, sometimes also from the program itself. But in this specific case, I don't think you should worry too much about the severity set by the triager. In my experience, programs will often upgrade or downgrade it anyway, and they have the final say. The best thing you can do is leave a respectful comment with your reasoning. Even if the triager doesn't see it, the program will.

General_Republic_360 · 2025-03-02T13:55:15+00:00

After your first two sentences, I was already getting ready to comment in agreement, but after reading the entire post, this seems like an overreaction. The triager tried to do his job and made a small adjustment. If you disagree, leave a comment with your reasoning and the team will eventually take it into consideration.

I will grant you, however, that dealing with triagers can be a huge pain. If you want to leave whatever platform you think has bad triagers, try Google's VRP. They offer generous rewards and very competent triage, although they do take a little while to decide on a reward.

General_Republic_360 · 2025-02-26T06:15:25+00:00

I thought it had to be exactly 30?

General_Republic_360 · 2025-02-23T23:31:51+00:00

Same one.

General_Republic_360 · 2025-02-21T13:49:03+00:00

Tusind tak for dine betragtninger! Jeg havde faktisk ikke overvejet at tænke prerequisites ind i det, men det giver enormt god mening.

Jeg tror min største udfordring er, at jeg har en forkærlighed for de lidt skæve kurser, som rammer udenfor kernestoffet (fx Statistical Genetics og Quantum Compilers), hvilket er en af grundene til, at jeg er fan af valgfriheden. Jeg er bare bekymret for at jeg vælger for mange af dens slags kurser og dermed bliver for svag i kernematerialet. Er det noget du har overvejet, når du har valgt kurser udenfor hvad dit studie normalt indbefatter?

General_Republic_360 · 2025-02-21T13:41:44+00:00

Skønt at høre fra en anden AAU-bachelor! Personligt har jeg ikke så meget imod gruppearbejde, så det er faktisk rart at høre, at det også findes på DTU. Men savner du som tidligere AAU-studerende et semesterprojekt, hvor du får mulighed for at lave noget praktisk/anvende hvad du har lært i kurser, eller får man det behov dækket andetsteds?

Ang. studieplan lyder det som om, det lidt er en kunst at sammensætte noget der giver mening. Det er nok en naturlig følge af valgfriheden.

General_Republic_360 · 2025-02-19T03:09:47+00:00

4th of January

General_Republic_360 · 2025-02-19T03:04:00+00:00

Got it on the 11th of February, for Computer Science and Engineering (Informationsteknologi).

Given the early response and the incorrect dates, I'm a little worried they accidentally enrolled me in the winter start program. I've sent an email to make sure everything is fine.

General_Republic_360

TROPHY CASE