Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study

preview_player
Показать описание

Request smuggling is an amazing bug class! But I barely ever did more than running Request Smuggler. So I've analysed tens of reports and in this video, I'll break down the most common root causes and I'll give you some ideas for future research.

Reports mentioned in the video:

Reports mentioned in the video:
Whitespace characters in CL/TE headers
Incorrect prioritization of CL/TE
Multiple TE/CL headers
Ignoring the TE/CL headers
Not closing the connection
HTTP/2 downgrade forwarding CL/TE
Only \n or \r as a newline
Not a literal "chunked" TE
CRLF injection
Trailer parsing
H2C upgrade
Converting \r to -
Chunk extensions

Timestamps:

00:00 Intro
00:34 Whitespace characters in CL/TE headers
3:45 Incorrect prioritization of CL/TE headers
5:26 Multiple TE/CL headers
7:22 Ignoring the TE/CL headers
10:05 Not closing the connection
11:40 HTTP/2 downgrade forwarding CL/TE
14:02 Only \n or \r as a newline
15:35 Not a literal "chunked" TE
16:39 CRLF injection
17:49 Trailer parsing
19:26 H2C upgrade
20:42 Converting \r to -
22:20 Chunk extensions
  1. Bug Bounty Reports Explained
Рекомендации по теме
Request smuggling - 0:24:20

Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study

$6,5k + $5k 0:07:26

$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato

HTTP Request Smuggling 0:19:06

HTTP Request Smuggling Attack Explained // Untangling the HTTP Desync Attack

🌻 HTTP/2 Request 0:55:44

🌻 HTTP/2 Request Smuggling - TryHackMe Walk Through - 🌻

Node.js’ strange behaviour 0:01:00

Node.js’ strange behaviour leads to request smuggling #bugbounty #bugbountytips #bugbountyhunter

$500 Http request 0:01:09

$500 Http request smuggling | Bug Bounty | @Hacksentrypro

Lab: CL.0 request 0:05:40

Lab: CL.0 request smuggling

HTTP/2 request smuggling 0:07:28

HTTP/2 request smuggling (explained using beer)

The Tool Box 0:26:41

The Tool Box | HTTP Request Smuggling Detection Tool

HTTP Request Smuggling 0:42:36

HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges

DEF CON 24 0:35:41

DEF CON 24 - regilero - Hiding Wookiees in HTTP: HTTP smuggling

Lab 9 | 0:27:29

Lab 9 | Exploiting HTTP Request Smuggling to Capture Other Users' Requests #BugBounty

Web Security 0x1E 0:45:44

Web Security 0x1E | HTTP Request Smuggling ve HTTP/2 Downgrade Attack Zafiyeti

Burp Extension Mini 0:03:39

Burp Extension Mini series | HTTP Request Smuggler | Bug Bounty Service LLC

Browser-powered desync #bugbounty 0:01:00

Browser-powered desync #bugbounty #bugbountytips #bugbountyhunter

Client-side desync vulnerabilities 0:12:51

Client-side desync vulnerabilities - a breakthrough in request smuggling techniques

Request Smuggling CL-TE 0:17:45

Request Smuggling CL-TE vulnerability - PortSwigger

Bug Bounty: HTTP 0:12:25

Bug Bounty: HTTP Request Smuggling/ Desync| Detect, Confirm, Impact | Bug Class Part #3 hackerone

Practical HTTP Request 0:22:38

Practical HTTP Request Smuggling attack Explained in Tamil | Part 1

HTTP Multiline headers 0:00:46

HTTP Multiline headers #bugbounty #bugbountytips #bugbountyhunter

HTTP Request Smuggling 0:22:56

HTTP Request Smuggling Explained: Part 1

JWKS Spoofing, HTTP 0:29:59

JWKS Spoofing, HTTP Request Smuggling & more! SteamCoin - Hack The Box UniCTF

Practical HTTP Header 0:26:49

Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond

$560 bounty for 0:06:27

$560 bounty for http request smuggling in periscope tv |Twitter com | Bug Bounty 2020

Комментарии
Автор

Thank you for watching this video. If you've learnt something new, leave a like to show me that you appreciate it!

BugBountyReportsExplained
Автор

Why do we have to use white space character please clarify this is possible

musawerkhan
Автор

In addition to Burp Plugin HTTP Request Smuggler, what other methods can find this vulnerability?🤒

dayxyz
Автор

I’ve watched so many videos, done courses on http request smuggling and still don’t understand. I’m thinking about making a http server in C to exploit it myself to understand it better

crlfff
Автор

Hi thanks for the video, can I get the notion link of the reports?

HerlockShomes
Автор

Hey dude, great video as always.
I had a question for so long after completing all the labs related to http request smuggling from portswigger is that I am able to identify the HRS vulnerabilities using the detection method, and even the Smuggler tool but never able to showcase a full-proof POC because I have seen people use Turbo intruder for that like here 6:26, and I couldn't find a place to learn that so I request you if you can make a video on how to actually make a POC or show the IMPACT as we say, because I have so many places I couldn't show the actual poc it was annoying.

kunshtanwar
Автор

您好,我有一些关于 HTTP 请求走私的问题。我如何在 Discord 上联系你们?

fengzhi-pf
Автор

Hello, I am from China. I like the video content of your channel very much. I want more people to learn these vulnerabilities. Can I translate your video and repost it to the Chinese bilibili video website? I will mark your YouTube address on the video page, thank you

airsky
Автор

Next Video: $$.$$$ bounty using request smuggling

alvarobalada
visit shbcf.ru