Conversation

FWIW: It's *very* entertaining to read the nginx source code (full of state machines that try to do minimal work during parsing) and look at what hilarious variants nginx will still recognize as valid HTTP. Often only one letter of a keyword will be checked.

Quote Tweet

Halvar Flake

@halvarflake

Oct 31, 2021

Anyone chiding other developers for not using state machines should be first forced to read the nginx source code followed by writing an HTML parser in verilog.

137

Replying to

last time i looked at it, it seemed stricter in places than i (as a security engineer trying to write an exploit) would like, which was comforting to me (as a security engineer trying to make sure things are less exploitable)

Replying to

and

It recently got a lot stricter in many cases in the mainline branch but it's not yet in the LTS branch that's updated to a new major version yearly. Still has this issue: github.com/yandex/gixy/bl.

github.com

gixy/httpsplitting.md at master · yandex/gixy

Nginx configuration static analyzer. Contribute to yandex/gixy development by creating an account on GitHub.

Replying to

and

OK, nice one, but I don't see a vector to exploit it.

Replying to

and

Visiting a URL with an escaped newline can set a cookie, etc.

Replying to

and

without length constraints, etc. it'll probably be immediate XSS too plus (though this probably won't be an issue if the injection is in nginx), there's the reverse proxies that'll do privileged things based on application response headers, which is frankly terrifying

Replying to

and

I'm too used to having a strong Content-Security-Policy and forget that most of the web barely uses it or has weak policies that are trivially bypassed. raw.githubusercontent.com/GrapheneOS/Att Also, `require-trusted-types-for 'script'; trusted-types 'none'` is amazing (not relevant here).

Replying to

and

though even with a strict CSP, depending on which order those headers are, the injection might just push them into the body (or into the next pipelined response)

Replying to

(an even more terrible version of this might be using the injection to construct a response with the requisite "Content-Type: application/javascript", if the CSP allows JavaScript files from the same domain, rather than using a separate asset domain)

Replying to

and

Curious what would happen in practice since there would also be a Content-Type from nginx and multiple Content-Type isn't valid. I assume browsers permit it in practice but I have no clue which one they use or if there are special rules.

8:03 PM · Oct 31, 2021Twitter Web App

Replying to

This reminds me that I need to check if Firefox and Safari finally implement github.com/w3c/webappsec- so I can switch to hash-source + SRI for scripts. I checked a couple years ago and they still hadn't implemented it literally YEARS after standardization.

github.com

Allow `hash-source` expressions match integrity metadata for external scripts. · Issue #78 ·...

Currently, script-src 'sha256-qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=' matches . It does not...