![]() ![]() Most server-side desyncs can only be triggered by a custom HTTP client issuing a malformed request. These are server-side desync from now on. Traditional desync attacks poison the connection between a front-end and back-end server, and are therefore impossible on websites that don't use a front-end/back-end architecture. ![]() The only difference between CL.0 and H2.0 is that the second one is using HTTP2 (which has an implicit content-length header) but the backend isn't using that either. This meant the front-end has zero chance of protecting against it, and it could even be triggered by a browser. Note that this vulnerability is being triggered by a completely valid, specification-compliant HTTP request. The attack was possible because the back-end server simply wasn't expecting a POST request. Ignoring the CL is equivalent to treating it as having a value of 0, so this is a CL.0 desync - a known but lesser-explored attack class. Then, the back-end treats the body as the start of the second request's method. This vulnerability occurs when the Content Length (CL) header is being completely ignored by the backend server. Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.Join the □ Discord group or the telegram group or follow me on Twitter □.Get the official PEASS & HackTricks swag.Discover The PEASS Family, our collection of exclusive NFTs. ![]() Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!.Browser HTTP Request Smuggling ☁️ HackTricks Cloud ☁️ - □ Twitter □ - □️ Twitch □️ - □ Youtube □ ![]()
0 Comments
Leave a Reply. |