by bkallus on 2/5/24, 7:48 PM with 3 comments
I started the internship having never worked with web servers, and have now found over 100 HTTP implementation bugs. I attribute this mostly to the ease of experimentation in the Garden. REPL-oriented fuzzing is just a really good interface for finding parsing bugs. It's pretty neat to able to run a differential fuzzer, categorize and display all the discovered discrepancies, then let a human pick through them and interact with fuzz targets to test whether the bugs are exploitable.
Some notable server combinations in which we discovered new request smuggling attacks include Google Cloud <-> Node.js, Akamai <-> Node.js, [almost anything] <-> LiteSpeed, and OpenBSD relayd <-> [anything].
We also found an infinite loop DoS in Cesanta Mongoose that affects all configurations, and a null pointer dereference that can crash any OpenBSD httpd server that uses FastCGI.
by Retr0id on 2/5/24, 10:59 PM
Fun. I believe the fix is incomplete here[1]. Python's int() constructor (and related methods) accepts integers comprised of any unicode numeral, for example, int("٦٦٦") == 666, and "٦٦٦".isdecimal() == True.
NB: I haven't tested this more thoroughly and I'm not sure I'm actually looking at the right diff for the fix.
[1] https://github.com/aio-libs/aiohttp/pull/7663/files#diff-197...
by tialaramex on 2/5/24, 8:55 PM