Category Security

This lab is a lot of fun and requires chaining together techniques to fully exploit. First, we have to identify if, where, and how the application is vulnerable to a smuggling attack. Once that has been established, we need to…

This next lab represents an interesting vulnerability where specific paths/routes within an application are vulnerable to desync when there is no expectation of anything other than the intended HTTP verb ever showing as part of a request. These are very…

In the previous post, we looked at an HTTP/2 downgrade attack where we injected CRLF characters into a header and that allowed us to smuggle the Transfer-Encoding header through the H2 frontend. If the Transfer-Encoding header was provided as a…

In this next lab, we have to go a bit deeper into the differences between how HTTP and HTTP/2 are transferred over the wire and then ultimately processed by a web application. Once again, we are going to be going…

In the previous lab we looked at a H2.TE vulnerability. To exploit, we needed to upgrade the request from HTTP to HTTP/2 and rely on the frontend to downgrade back down to HTTP for its communication with the backend system.…