bahruzjabiyev / t-reqs

Grammar-based HTTP/1 fuzzer with mutation ability
MIT License
243 stars 32 forks source link

Question #4

Open serrapa opened 6 months ago

serrapa commented 6 months ago

Hey, I am studying http desync attacks and I ended up in your paper. I also saw a video of you talking about your research on the smuggling topic, very great job!

I have got one question: in the research you talked about the discrepancies among different entities that generally act as reverse proxy, cdn, waf, cache, web server etc... but in your graphes there are discrepancies assigned to pairs like reverse proxy <-> cache proxy. With this path, how you tested the request? I imagine it has to be also sent to a web server...

Can you please explain me how you handle such situation ?

bahruzjabiyev commented 6 months ago

Hi, Paolo.

It is very common for request paths to have two or more reverse proxies and origin server (i.e., a web server) at the end. If you can cause desync between any of two servers (e.g., two reverse proxies), you are already successful, you don't have to worry about the web server.

serrapa commented 6 months ago

Okay I understand, thanks! Are you researching on the "future research" cited in the paper? Because I see this repo is maintained

bahruzjabiyev commented 6 months ago

We maintain this repo, mainly because of its versatility and various applications, not necessarily because I still research request smuggling.