Hi there, it’s cyberbeat again! Today I woke up at 6, a lil late than yesterday, and it was almost 8 by the time I sat down to hunt, I was occupied with writing yesterday’s medium articles and publishing it. So let’s get into the main show.
Yesterday I figured out an information disclosure bug where my report was marked as P5 😢 so I wanted to escalate it. I started from there, trying various ways to bypass the authentication, but with no luck. I spent the whole afternoon finding a way to bypass access control but I wasn’t able to figure out a way.
Around 3pm, I gave up and tried to look for other domains on that program while just visiting random subdomains. Suddenly I had a random idea — what if I am able to smuggle request from that admin server to here? Sounds like crazy, but I tried to do the same. I tried with a login page but was not able to perform a successful attack. I spend the whole evening on that, smuggling one request under another and taking a note of the ressponse.
One thing thatI noticed, which was something new for me was Error Code 411, this is a response when the server needs content length. And this is the point where I thought of doing request smuggling. Below is the reference that I took to detect potential vulnerability.
For those who doesn't know about request smuggling, it is a way to manipulate the HTTP headers to smuggle other requests. There are two types of security control in headers— one through content length, where the server just looks at content length while the other looks at Transfer encoding. If the front end server understands Transfer Encoding and the backend server understands Content Length then we would be able to use TE.CL; or vice versa. You could gain in depth understanding from Portswigger academy (HERE).
Around 9.30, I submitted the report hoping that at least my report will get accepted 🤞 if not bounty.
Today I spent almost 12 hours in bug bounty just to find a bug. It was a bit hard for me to get to the flow since I started late. Here is how my Toggl timer dashboard…