Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling
This request triggered an extremely suspicious intermittent 400 Bad Request response from various websites that were running AWS Application Load Balancer (ALB) as their front-end. Investigation revealed that ALB was mysteriously adding a 'Transfer-Encoding: chunked' header while downgrading the request to HTTP/1.1 for forwarding to the back-end, without making any alterations to the message body:
Top 10 web hacking techniques of 2021 - nominations open
Published: 05 January 2022 at 14:35 UTC Updated: 31 January 2022 at 15:02 UTC Update: nominations are now closed, but voting is live! Cast your vote here. Nominations are now open for the top 10 new web hacking techniques of 2021! Every year security researchers share their discoveries via blog posts, presentations, and whitepapers. Every write-up is valuable, but some contain something special -
XSS in hidden input fields
Published: 16 November 2015 at 11:25 UTC Updated: 14 June 2019 at 12:03 UTC At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it's behaving properly. Whilst doing this recently, Liam found a Cross-Site Scripting (XSS) vulnerability in [REDACTED], inside a hidden input element: <input type="hidden" name="redacted"
1
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
Password theft bug chain patched in Passwordstate credential manager
Akamai WAF bypassed via Spring Boot to trigger RCE
Path traversal flaw found in OWASP enterprise library of security controls
VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service
Latest web hacking tools – Q2 2022
SSRF vulnerability in VMWare authentication software could allow access to user data
Password reset poisoning | Web Security Academy