HTTP Request Smuggling on business.apple.com and Others. ($36000 USD)
Original Post:
We discussed this vulnerability during Episode 135 on 11 April 2022
Somewhat traditional CE.TE request smuggling attack on a few of Appleās domains. The main trick with this one was to place a \n
in the Transfer-Encoding
header name. So the full header being Transfer-Encoding\n : chunked
This allowed the TE header to be smuggled through any checks on the frontend and still be parsed by the backend server.