Martin Doyhenard
@tincho_508
Followers
1,593
Following
205
Media
15
Statuses
186
Security Researcher at PortSwigger. Speaker at BlackHat, DEF CON, RSA, Hack In The Box, Troopers, EkoParty
La Plata
Joined May 2011
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#LingOrmFanMeet2geTHer
• 441322 Tweets
DEAR MYLOVE LINGORM
• 425447 Tweets
Edmundo
• 135101 Tweets
#KPOPMASTERZinBANGKOK2024
• 47622 Tweets
#Narin
• 44687 Tweets
인기가요
• 37479 Tweets
オリックス
• 33874 Tweets
Oregon
• 31999 Tweets
京成杯AH
• 25015 Tweets
カンスト
• 24241 Tweets
セントウルS
• 22396 Tweets
#GoodSoBad5thWin
• 16452 Tweets
#ZEROBASEONE12thWin
• 15164 Tweets
アスコリピチェーノ
• 14286 Tweets
まーさん
• 12765 Tweets
ALLAH BELANIZI VERSİN
• 12234 Tweets
メンデス
• 11679 Tweets
Pinned Tweet
I'm thrilled to announce that my talk "Gotta Cache Em All: Bending the Rules of Web Cache Exploitation" was accepted at Black Hat USA 2024!
I'll be showing how to abuse web cache parsers to completely compromise thousands of sites!
#BHUSA
@BlackHatEvents
8
27
221
So happy to had the chance to present for second time at
#BlackHat
USA!
I’m already receiving a lot of messages from people using these techniques to get some nice bounties!
If you want to learn more about cache exploitation, the research is available at
4
58
220
If you are interested in modern WEB Exploitation techniques, don’t miss my
@defcon
talk “Response Smuggling - Pwning HTTP/1.1 Connections”.
I will explain new attacks that could be used to compromise vendors as big as Google! 😉
3
57
162
@pirruz
@AscensoHundido
Plaza pública decía… Pa, acá pones una tele en una plaza y no se que se roban primero, si la tele o la plaza
4
0
60
I am very excited to announce that my talk:
Internal Server Error: Exploiting Inter-Process Communication in SAP's HTTP Server
was accepted at
@BlackHatEvents
Las Vegas!
The abstract is available at
#BHUSA
website:
1
6
57
@0xMstar
I can’t believe no one said missing/broken authentication and broken access control (OWASP bug type which is extremely easy to teach to someone without any knowledge).
This is because people do understand what an unprivileged user should and shouldn’t be able to do in business
1
0
17
Thanks
@garethheyes
for such an amazing gift!
I was looking to improve my JavaScript skills and this is definitely going to help me do it!
(being able to work with the best JS hacker in the world is definitely helping 😄)
1
1
14
Spoiler: If you’ve never heard about HTTP Desync, you can watch
@albinowax
#DEFCON
presentation “HTTP Desync Attacks: Smashing into the Cell Next Door”
1
3
13
@PortSwiggerRes
@jacopotediosi
Great finding!
The technique used in this research is described in my DEFCON29 talk “Response Smuggling: exploiting HTTP Connections”.
It is possible to upgrade this attack using the HEAD method confusion and response scripting to build the payload!
1
0
12
@vikaloca
@DaiBelen23
@JulieCGallagher
Me estás cargando? Wanda metió a Icardi… Sisi, ICARDI! a jugar en el mismo equipo que Messi, Neymar y Mbappe!!!!
Si eso no es tener éxito como representante de un jugador del nivel de Mauro (no te digo que es malo, pero en PSG???!!!) entonces no se que es…
2
1
9
Response Smuggling in the Top 40 💪🏻
If you liked this research and technique, please vote to include it in the final Top 10!
Voting is now live! Explore the 40 nominations, and cast your vote for the 10 web hacking techniques of 2021 here:
1
69
210
0
3
7
There is an issue with the previous link.
The last version of the Response Smuggling paper, including techniques to improve (a lot) the reliability of the attack, can be found here:
1
5
7
@Aliendroneta27
@dataref_ar
Se te olvidó número 1 en ranking FIFA, pero a esta altura quién cuenta los premios jajajaja
0
0
6
BlackHat is Over. Great experience presenting my first talk here!
If you missed it, I’ll be presenting it again at
#DEFCON30
.
This time, I’ll also show how to use Response Smuggling to completely own your target!
Find it at track 3 on Saturday 5pm
1
1
5
@alex_roqo
There are two reasons for this:
1. In WCD the attacker sends a malicious link to the victim:
target. com/account$/../static/x
However, browsers resolve dot-segments before sending the request, so the path would become
/static/x
and, with no discrepancy, the attack will fail
1
1
4
@omer_gil
Thank so much!!!
Your research was of great inspiration for everything I found, and showed how, by being creative and understanding the target, is still possible to innovate and discover new vulnerability types!
0
0
4
@alex_roqo
To solve this, the attacker encodes part or all of the dot-segment.
target. com/account$%2F../static/x
This is because browser will resolve path traversals, but will not decode URL-encoded characters.
This way, the path will be sent unmodified and the attack will succeed.
1
1
3
@albinowax
Just finished reading the white paper, excellent research!!! 👏🏻👏🏻👏🏻
I missed the talk today, but I’ll be there at DEFCON!
0
0
3
@Mulderbot
@ARTP3R
@5eniorDeveloper
XOR es la mejor solución porque no genera offset. La suma y multiplicación no permiten operar con el rango completo
0
0
2
@alex_roqo
To solve this, we can encode the dot segment, as it wont matter because the front end is normalising it:
/payload;%2F..%2Fhome --> /payload;/../home
But, at the backend, the semicolon disguise the suffix as a parameter, creating the discrepancy and exploiting it
1
1
3
Also, if you don’t have your badge yet and money is a problem, I have an extra one I’m giving for free!
1
0
3
@LiveOverflow
My Response Smuggling research didn’t made to the Top10, but at least
@LiveOverflow
believes is a nice techique 🤣
0
0
2
@ARTP3R
@Mulderbot
@5eniorDeveloper
Pensa las variables como lo que son y no lo que representan. Una operación XOR sobre variables binarias (que pueden representar cualquier tipo de dato) permite el intercambio de valores sin perder información y con la misma eficiencia (o mayor)
0
0
1
@OmarHashem666
Awesome finding and excellent write-up. I really enjoyed reading it as it shows the entire thinking process.
Did you tried injecting on the href to break the HTML? Maybe to confuse the victim and include a message like
“>if you didn’t request a recovery click here<href=
http://X
1
0
1
@chudyPB
Read the paper (most of it 😆) and it was an awesome research with some really cool gadgets. The deserialization-serialization technique was amazing!
1
0
2
@0xAwali
Yea, I was able to find many targets using a redirect with the X-Forwarded-Host header, although I didn’t replaced any real resource (like the JS from the example) as this would affect valid users. For that I used a lab with the default configurations (static extensions rule)
1
0
3
@JensGleichmann
@CBasis
HANA internal WDP is not included in the vulnerable components as the memory pipelining configuration is not the same as the standalone WDP. Still, S/4HANA and any other app server behind a WDP should be considered vulnerable.
CVE-2021-38162 does however affect HANA the same way
1
0
2
@Rabonushka
#TePegaEnTyCSports
ojalá que pega la canción de Tito en las canchas:
Mas vale que ganen un partido
Hijos de puta
La puta madre que los pario
Bom bom bomboom 🎼
Cancionerno quien te conoce?
0
0
2
@YShahinzadeh
I would suggest reading the HTTP RFC which is the real definitive guide of how the protocol works. It’s shorter, descriptive and is applied in all HTTP servers and proxies.
And if you just want to know about Connections, there is an entire section about that!
0
0
2
@intigriti
Both codes are vulnerable to CSRF.
The POST one is easy as it can be crafted using an auto-submitted form using the method POST.
But the PUT one can also be exploited, only in this case DNS Rebinding must be used to bypass CORS restrictions and redirect the user to the vuln host
0
0
2
@I_AM_MAC4
@0xMstar
Sure, just try to perform any action you are not supposed to be allowed in an app/system. If you can, then you found a vulnerability.
The same goes for any case in which you are able to either predict or steal someone else credentials.
Using a crack for an app is another example
1
0
2
@hahwul
For HTTP/1.1
ZAP: Sends the requests and hold the TCP connection for pipelined responses. In this case, the request is splitted using the TE at some point (proxy or backend) and two responses are generated, a 404 for the first part and a 200 for the second (/about/).
1
0
1
@albinowax
@WebSecAcademy
CL,TE/TE,CL can be leveraged to cause reverse desync and inject arbitrary (yes, completely arbitrary) responses to exploit live users!
Writeup and whitepaper will be available right after
@defcon
. I hope it helps vendors realize that HTTP Smuggling is here to stay!
1
0
1
@hahwul
BURP: Sends the requests but does not hold for the pipelined response. This is probably because each response is served individually by the proxy or by the server, so once the response is there it will not wait for another (which is logical as if not it should wait forever).
1
0
1
@hahwul
For HTTP2
ZAP and CAÍDO seems to show that the problem is in the header name. This is because HTTP2 does not allow TE headers, and if the proxy is following the RFC, this is the expected result, a connection error which is interpreted as a 400.
1
0
1
@hahwul
You can use other features such as Turbo intruder to reuse a TCP connection and keep-alive the conn. In that case you would observe similar results as in ZAP.
CAÍDO: Same behavior as BURP (don’t know the framework but it’s clear that’s the case).
1
0
1
@alex_roqo
2. Delimiters like the semicolon in Java affect a segment and not the entire path.
This means that "/hello;/../world;param2" will be interpreted as "/world".
The same is true for the dot in Rails
Therefore, sending this path, even in cache poisoning, will make the attack fail
1
1
1
0
0
1
@f_reiven
Usa Burp de proxy (—proxy en curl y argumento proxies en python requests). Ahí vas a poder ver como salen los requests y las diferencias entre los 2. Con eso vas a entender el porqué.
0
0
1
@DidymaWorks
@nicowaisman
Totally agree, love the war story talks with lots of reversing and clever exploitation! last time I presented at BlackHat I talked about something like that (), but the practicality of web exploitation techniques is usually unmatched.
1
0
1
@hahwul
If this is not the case, then you might have found a vulnerability (HTTP2 smuggling T.E CL).
Still, you should first verify that the requests are well formed in terms of lengths (maybe that’s also the issue in the other frameworks for HTTP2)
0
0
1
@LucasTigre27
La pregunta sería, si es taaaaaan bueno, la rompe tanto, y es igual o más que los delanteros de la selección actuales, porque carajo juega en Tigre?
0
0
1
@hahwul
It is important to be aware of how each framework is creating the requests and how the connection and pipelining is managed in each.
Also, as mentioned, you are testing with HTTP2 and HTTP/1.1 and there is a big difference in terms of connection
1
0
1
@hahwul
I would ask if the empty response obtained in BURP does not return any other information, such as a connection error or connection reset. (Look at the left lower side of the screen or at the Event Log in the Scanner screen).
1
0
1
0
1
1
@adversariel
@shncldwll
@BlackHatEvents
@aivillage_dc
Could you share the white paper of the research?
0
0
1
@hahwul
This might also be caused by the framework. I’m not sure how HTTP2 is handled in ZAP or CAÍDO.
BURP provides advanced control on HTTP2 requests. You can actually edit the request headers individually (as if working with an HTTP2 Headers Frame) allowing for clear attacks.
1
0
1