If you use the NGINX ingress controller for Kubernetes with the auth URL feature, you are vulnerable to potential HTTP request smuggling/splitting. There are security products on the market that are using this feature too that are vulnerable.
-
-
Prikaži ovu nit
-
https://github.com/kubernetes/ingress-nginx/pull/4859/files … Issue fixed by using a named location in the NGINX ingress controller!
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
-
-
@albinowax I found this with your HTTP request smuggling Burp Suite extension. Thank you! -
Your DEF CON talk was great too, and the Burp Suite extension ispic.twitter.com/AvmCOfuoPn
Kraj razgovora
Novi razgovor -
-
-
Thank you!
Kraj razgovora
Novi razgovor -
-
I'm sorry. Why not just do curl -H "Host: notlocalhost" "http://example.org/_hidden/index.html …"?
-
The point is to smuggle the request past a front end load balancer for example.
Kraj razgovora
Novi razgovor -
-
-
The links to the Kubernetes, Vestia and the other are not working! Thanks! Do you have an example of the Kubernetes bypass?
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Well done
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.