TW - Vincent
TW - Vincent
I’m sorry, but I genuinely don’t understand your sentence. It’s not that I “don’t want to explain myself” - it’s simply that I don’t see what, in this context, would...
I don’t see, in any of the tests you included in your previous comment, this exact use case: ``` curl -v 'https://my_domain/my_script.php' \ -d '{"id_order":"select(sleep(10));"}' \ -H 'Content-Type:' \ -H...
This is not my use case @azurit - test my use case please.
You don't write this : curl -v 'https://my_domain/my_script.php' \ -d '{"id_order":"select(sleep(10));"}' \ -H 'Content-Type:' \ -H 'Content-Length:' \ --http2 Or this to take your example : curl -v 'https://my_domain/my_script.php' -d...
I’m giving you a precise use case - you refuse to use it. And then you tell me it doesn’t work by producing different use cases that have nothing to...
Then it means this use case does not work on all environments. It has been tested and validated here on: Debian 11 – Apache2 2.4.65 – curl/7.74.0 – Apache2 as...
For the POC to work, HTTP/2 must be handled properly - are you sure the server accepts it and is capable of processing it? The POC does not seem to...
Since this is an unintended behaviour on HTTP/2, it’s possible that a more recent version of curl has disabled it. I assume that with this version of curl, you no...
It has been confirmed that the BODY is not removed - meaning the payload does reach its destination (the FPM pools). The same payload can therefore bypass the XML/JSON processors,...
None observed here on guest input - this only affects screens that handle HTML/JS/CSS as input, and even then very rarely, and I wouldn’t consider those to be false positives....