251 - RCE’ing Mailspring and a .NET CRLF Injection
2024-3-19 20:0:0 Author: dayzerosec.com(查看原文) 阅读量:10 收藏

Some research from Martin Doyhenard at Portswigger, presenting an option to escalate a request smuggling/HTTP desync vulnerability by smuggling a TRACE request.

The HTTP TRACE verb is uncommonly used, but still supported by several servers. The idea of the TRACE verb was for debugging purposes. One could send a TRACE request with a request body, the response body would contain the original request received with any sensitive data such as credentials or cookies stripped out (Cross-Site Tracing used to be a technique for getting access to httpOnly cookies).

The result of this is that a smuggled TRACE request will have control over the response body as the request body will be reflected in it.


文章来源: https://dayzerosec.com/podcast/251.html
如有侵权请联系:admin#unsafe.sh