Request smuggling - do more than running tools! HTTP Request smuggling bug bounty case study

Поділитися
Вставка
  • Опубліковано 19 гру 2024

КОМЕНТАРІ • 33

  • @BugBountyReportsExplained
    @BugBountyReportsExplained  8 місяців тому +3

    Thank you for watching this video. If you've learnt something new, leave a like to show me that you appreciate it!

    • @michamoneta669
      @michamoneta669 7 місяців тому

      Szkoda, że nie ma tłumaczenia na Polski. Pomyśl o tym😉

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  7 місяців тому

      @@michamoneta669 myślałem nie raz i doszedłem do wniosku, że jeżeli ktoś chce rozwijać się w web security to i tak musi znać angielski

    • @michamoneta669
      @michamoneta669 7 місяців тому

      Jesteś wybitnym Pentesterem i fajnie jakby były chociaż napisy po Polsku. Właśnie będę działał z angielskim z Wiki Sitko i działam również z Security Starter pakietem, ze Szkoły Maćka Kofla. Fajna sprawa Cybersec. tylko nie wiem czy już dla mnie nie jest za późno..... chodzi o moj wiek.🤔 Zrobiłem suba Twojego kanału, cóż będę słuchał po angielsku😁

  • @musawerkhan9817
    @musawerkhan9817 6 місяців тому +1

    Why do we have to use white space character please clarify this is possible

    • @musawerkhan9817
      @musawerkhan9817 6 місяців тому

      And also how can we figure it out that a backend is using HTTP/1.1, HTTP/2 or HTTP/3

  • @HerlockShomes
    @HerlockShomes 7 місяців тому

    Hi thanks for the video, can I get the notion link of the reports?

  • @day0xyz1
    @day0xyz1 8 місяців тому

    In addition to Burp Plugin HTTP Request Smuggler, what other methods can find this vulnerability?🤒

  • @crlfff
    @crlfff 8 місяців тому +1

    I’ve watched so many videos, done courses on http request smuggling and still don’t understand. I’m thinking about making a http server in C to exploit it myself to understand it better

    • @huzaifamuhammad8044
      @huzaifamuhammad8044 8 місяців тому

      Is that you didn't understand or that you couldn't exploit one HRS in the wild ?
      I did understand the bug class but I never found one in the wild.

    • @crlfff
      @crlfff 8 місяців тому

      @@huzaifamuhammad8044well maybe, I’m testing a target right now and I have two responses but I’m not sure if its a false positive or not

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  8 місяців тому +3

      a few years ago, I made a video about basics of request smuggling, maybe that will help: ua-cam.com/video/gzM4wWA7RFo/v-deo.html

  • @balsonga
    @balsonga 8 місяців тому +1

    🧉mate time 19:24

  • @fengzhi-p1f
    @fengzhi-p1f 2 місяці тому

    您好,我有一些关于 HTTP 请求走私的问题。我如何在 Discord 上联系你们?

  • @javeleyjaveley
    @javeleyjaveley 8 місяців тому

    Can you share the notion reports?

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  8 місяців тому

      At this point I don't know if you're trolling me or just haven't watched the video but I answered this in 6:57

    • @InfoSecIntel
      @InfoSecIntel 6 місяців тому

      I think he means the database, which i also just tweeted you about because I cant find it

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  6 місяців тому

      @@InfoSecIntel it's in the bottom of the article that's linked in the description

    • @InfoSecIntel
      @InfoSecIntel 6 місяців тому

      Thank you. I see soo many people ask this question so sorry lol, that database on the article looks like an image so that's what I always thought it was. But you mention it in the video. Thanks again.

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  6 місяців тому

      @@InfoSecIntel No problem ;) There's also the link to the same database but in Notion below that embedded database.

  • @airsky21
    @airsky21 6 місяців тому

    How to contact you privately?

  • @alvarobalada6528
    @alvarobalada6528 8 місяців тому +2

    Next Video: $$.$$$ bounty using request smuggling

  • @kunshtanwar4765
    @kunshtanwar4765 8 місяців тому

    Hey dude, great video as always.
    I had a question for so long after completing all the labs related to http request smuggling from portswigger is that I am able to identify the HRS vulnerabilities using the detection method, and even the Smuggler tool but never able to showcase a full-proof POC because I have seen people use Turbo intruder for that like here 6:26, and I couldn't find a place to learn that so I request you if you can make a video on how to actually make a POC or show the IMPACT as we say, because I have so many places I couldn't show the actual poc it was annoying.

    • @BugBountyReportsExplained
      @BugBountyReportsExplained  8 місяців тому

      There are many scenarios, many context and I couldn't make one video to cover all exploit methods. If you believe you have a valid bug but can't piece an exploit, DM me on Twitter or Discord and I'll try to exploit.

  • @airsky21
    @airsky21 7 місяців тому

    Hello, I am from China. I like the video content of your channel very much. I want more people to learn these vulnerabilities. Can I translate your video and repost it to the Chinese bilibili video website? I will mark your UA-cam address on the video page, thank you

  • @adampauloantony3097
    @adampauloantony3097 8 місяців тому

    thanks👍

  • @gespoL-
    @gespoL- 8 місяців тому

    Se garantiu