Go parsers, Funky Chunks, Template injections... What a week!
📦 Funky Chunks: Abusing Ambiguous Chunk-Line Terminators for Request Smuggling
A great post. If you can only read one thing this week, read this one. Solid research that will probably be leveraged in a lot of attacks in the near future: Funky Chunks: Abusing Ambiguous Chunk-Line Terminators for Request Smuggling.
🐹 Unexpected Security Footguns in Go’s Parsers
That's the kind of article I love, sharing details of parser quirks in Golang. Definitely worth a read. If you are into Go, read it; if you are not, read it anyway and apply the ideas to your favorite language: Unexpected Security Footguns in Go’s Parsers.
💣 Is b For Backdoor? Pre-Auth RCE Chain in Sitecore Experience Platform
WatchTowr is back! Another C# application and more great bugs, all described in a detailed post: Is b For Backdoor? Pre-Auth RCE Chain in Sitecore Experience Platform.
😴 Sleepless Strings – Template Injection in Insomnia
The team at TantoSec is back and shares a cool bug against Kong's Insomnia. The rundown of the attempts to fix the vulnerability is probably my favorite part: Sleepless Strings – Template Injection in Insomnia.
🛡️ Administrator Protection Review
An early review of Windows Administrator Protection, coming to Windows 11: Administrator Protection Review.
