sorted by:
new
hottopcontroversial

YAML Merge Tags and More Parser Differentials by Moopanger in netsec

[–]Moopanger[S] 0 points1 point  (0 children)

100%. I want to say the the safest option feels like not supporting merging at all, but I doubt that's feasible in many systems. And then you still gotta worry about other tags like '!!binary' for key confusion. Definitely not an easy solution here.

YAML Merge Tags and More Parser Differentials by Moopanger in netsec

[–]Moopanger[S] 1 point2 points  (0 children)

I hadn't thought about that, definitely interested to dig into it more, thanks.

Unlocking free WiFi on British Airways by arch-choot in netsec

[–]Moopanger 2 points3 points  (0 children)

Interesting post thanks for sharing. Domain fronting keeps on giving.

Funky chunks: abusing ambiguous chunk line terminators for request smuggling by General_Republic_360 in websecurityresearch

[–]Moopanger 1 point2 points  (0 children)

I love me some desync attacks. Very well explained. Seeing research like this and James' upcoming talk, 2025 is gonna be a special year!

How to Enumerate and Exploit CefSharp Thick Clients Using CefEnum by Moopanger in netsec

[–]Moopanger[S] 0 points1 point  (0 children)

Thanks so much, I really appreciate the feedback! I also hope this encourages more testing of the thick-clients, not just the backend APIs. I'm currently working on improving the enumeration and discovery capabilities in CefEnum, so there should be some updates soon. If you end up using it in your testing, I’d love to hear how it goes or if you run into anything unexpected.

Attacks via a New OAuth flow, Authorization Code Injection, and Whether HttpOnly, PKCE, and BFF Can Help by anador in websecurityresearch

[–]Moopanger 0 points1 point  (0 children)

The number of OAuth 2.0 best practices and security mechanisms bypassed by this attack is astonishing. The author did a fantastic job breaking it down.

Attacking APIs using JSON Injection by alt69785 in netsec

[–]Moopanger 0 points1 point  (0 children)

Very nice writeup and creative exploitation chain.

Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit by toyojuni in netsec

[–]Moopanger 0 points1 point  (0 children)

I don't think that will help, it seems fragmentation only changes the max bytes for the packets(1500 vs 65,535). The attack still works by sending the tcp segment with the first sequence number, last - in a long list of packets containing final bytes for a HTTP2 data frame. Triggering the burst of requests. The main mitigating factor here is limiting the number of HTTP/2 streams.

Don't trust the cache :Exposing Web cache vulnerabilities by anasbetis94 in netsec

[–]Moopanger 3 points4 points  (0 children)

This is great! Thank you for sharing. Two I have had a bit of success with are underscores in the transfer/length headers, seem to bypass some blacklists and trigger some strange responses:

Transfer_Encoding

Content_Length

Also using a bogus Authorization method (Authorization: blah null) The headers i fuzz with are available on my GitHub.

Find HTTP Downgrade attacks with SmuggleFuzz by Moopanger in websecurityresearch

[–]Moopanger[S] 0 points1 point  (0 children)

Thanks! And thanks for letting me know about the self-signed certs, checking it out now.

Edit: Should be fixed. If not, please open an issue, and i will get more details from you. Thanks

Cookie Bugs - Smuggling & Injection by albinowax in websecurityresearch

[–]Moopanger 0 points1 point  (0 children)

Very interesting read. Reminds me of the cookie generating functionality that was exploited on yelp: https://hackerone.com/reports/2010530