HTTPリクエスト・スマグリング検出ツールの仕組みを理解する - Shikata Ga Nai
Hello there, ('ω')ノ HTTPリクエスト・スマグリング(HRS)は、フロントエンドとバックエンドの リクエスト解釈の食い違い を突いて「隠れたリクエスト」を密輸する攻撃です。2005年に最初に報告され、2019年には James Kettle(@albinowax)が DEF CON / Black Hat で再び注目させました。 ここでは、攻撃者がどのように脆弱性を検出するか、そして紹介されている Python ツールがどのように動作するのかを、初心者にもわかりやすく解説します。 なぜ時間遅延で検出できるのか? 攻撃者は「フロントとバックでリクエストの終わりをどう解釈するか」を揺さぶります。その結果、サーバーが次のリクエストを待ち続けて応答が遅れることがあります。これが検出のサインです。 代表的な2つの手法 1. CL.TE(Content-Length と Trans
GitHub - EnableSecurity/wafw00f: WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of (potentially malicious) HTTP requests and uses simple logic to deduce which WAF it is. If that is also not successful, it analyses the responses previously returned and uses another simple algorithm to guess i
Detecting Malicious Requests with Keras & Tensorflow
Security is a concern for any public facing web application. Good development practices can assist with defending against attempts from users looking to expose data or bring down an app. However, sometimes not all attack vectors are handled and new exploits are bound to be discovered. This is where security software can assist with monitoring and preventing unforeseen attacks. So what if you could
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
GitHub - lsmithg12/ai-detection-engineering
GitHub - assetnote/react2shell-scanner: High Fidelity Detection Mechanism for RSC/Next.js RCE (CVE-2025-55182 & CVE-2025-66478)
GitHub - dragonked2/Egyscan: Egyscan The Best web vulnerability scanner; it's a multifaceted security powerhouse designed to fortify your web applications against malicious threats. Let's delve into the tasks and functions that make Egyscan an indispensab
GitHub - fox-it/citrix-netscaler-triage: Dissect triage scripts for Citrix NetScaler devices
GitHub - stamparm/identYwaf: Blind WAF identification tool
GitHub - ccmarris/ns_lame_detector
GitHub - moskrc/crawlerdetect: 🕷CrawlerDetect is a Python library designed to identify bots, crawlers, and spiders by analyzing their user agents.
GitHub - blacklanternsecurity/cloudcheck: Check whether an IP address or hostname belongs to popular cloud providers
GitHub - vladko312/SSTImap: Automatic SSTI detection tool with interactive interface
GitHub - kanishk7559/hackmitwpu
GitHub - abhizaik/phishing-detection: Phishing Detection
GitHub - HarshShah1997/Spam-Classification: Analysis and detection of short url spam on twitter.
GitHub - grapl-security/grapl: Graph platform for Detection and Response
GitHub - t4d/StalkPhish: StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.
GitHub - s0md3v/XSStrike: Most advanced XSS scanner.