Nathan

@payloadartist Not by me btw, but @redshark1802

💉 Abusing Hop-by-Hop Header to Chain A CRLF Injection Vulnerability By @nj_dav redshark1802.com/blog/2023/03/0… #infosec #bugbounty #bugbountytips #cybersecurity

@0xankush I haven't looked into this but I suspect this endpoint in the GH API would do it: #download-job-logs-for-a-workflow-run" target="_blank" rel="nofollow noopener">docs.github.com/en/rest/action…

@nj_dav do you know a way to download github action build logs like you did with circelci?

"Abusing HTTP hop-by-hop request headers" by @nj_dav was nominated as a top web hacking technique back in 2019, and has just blossomed into an F5 BIG-IP unauth RCE! nathandavison.com/blog/abusing-h… portswigger.net/research/top-1… github.com/horizon3ai/CVE…

@caseyjohnellis A bit like Project HARP from the 60s en.wikipedia.org/wiki/Project_H…

"...for when it absolutely, positively needs to be yeeted into space" thedrive.com/the-war-zone/4…

Found a serious vuln with this technique, definitely one to look out for. nathandavison.com/blog/abusing-h…

@jinonehk Nice! do you know if it was also exploitable if you supplied the X-Real-IP header in the request with a local IP?

Found a bug similar `Abusing HTTP hop-by-hop request headers` Hope the pictures explain it well

I found that proxies based on Go's ReverseProxy (Traefik and Caddy) forward the Connection header unmodified if an empty header is first sent: Connection: Connection: X This can be used to abuse hop-by-hop headers. Fixed in Go 1.16.5 and 1.15.13. @nj_dav github.com/golang/go/issu…

@kylieengineer The new-ish bushfire mural in Dickson is pretty great, done by instagram.com/bohie and instagram.com/faithsprays twitter.com/actgovernment/…

Are there any business in Canberra area that are good at graffiti art and not scared of heights?

As an update to twitter.com/nj_dav/status/…, I have put together a script that can be used to detect vulnerable workflows in Github orgs: gist.github.com/ndavison/d14db…

@albinowax It just sent me an email saying I logged in from a region they haven't seen me in recently, so I guess I've been logged out for a while.

@nj_dav Punishment for not supporting AMD. As a little bonus it will randomly log you out from time to time.

I have to login to some over engineered "nvidia experience" crap to update my drivers, and in the process prove I'm a human. Why?!?

Github Actions and the threat of malicious pull requests - some (not entirely new) research I've been chipping away at, on how Actions workflows can be made vulnerable to secret/token leaks nathandavison.com/blog/github-ac…

@kush_kira I actually think that Wordpress now prevents this issue now by adding a 'Vary: origin' header to responses, ensuring compliant edge caches use the Origin header in cache keys. So to reproduce you'll probably need an old-ish Wordpress (and a cache server not keying on Origin).

@nj_dav Yeah i got the idea if working, but im struggling in reproducing it

Shaking secrets out of CircleCI builds - a writeup of some research I've been doing on mis-configured CircleCI projects that are vulnerable to secrets/credential theft like GH tokens and AWS keys. Surprisingly not a rare find among bounty programs! nathandavison.com/blog/shaking-s…

@kush_kira It would break because the browser would see the poisoned allow origin header coming from the WP site and it wouldn't match the origin the browser is requesting from, causing a CORS violation. Depending on how much the site uses WP-API via CORS would determine impact.

@kush_kira So if a wordpress.com site was using WP-API in a way that required CORS (e.g. bla.com uses Wordpress on wp.bla.com which is hosted on wordpress.com to get its content), then you could poison the allow origin and break the site.

@kush_kira Sorry, I missed this - yeah sure, what's up?

@nj_dav hey mate, I just went through one of your h1 report, hackerone.com/reports/591302, can I have a word with you regarding this.

@csswizardry @smashingmag The weirdest I've experienced is verbally explaining in person with no device interaction what CPU overclocking is to a non techie friend, and that friend getting a completely out of place article about overclocking in mobile Chrome's "Articles for you" screen a few hours later.

Literally just got off the phone about a blocked sink and this is the first ad I see on Instagram. I’ve never seen an ad for this product—or even from this brand—before. I’m not saying tech firms are spying on me, but…

@J1ggy_ Hey - that's because there hasn't been a PR sent to the target repo yet. The script will require at least one PR to detect the issue (and to get the flag, the PR should be trying to steal the secret as outlined in the research).