Unpopular opinion:

HTTP Request Smuggling isn’t just a “cool technical bug”.

It’s a design-level issue caused by inconsistent HTTP parsing across layers.

CL.TE and TE.CL aren’t the root cause — they’re symptoms.

As long as frontends and backends interpret request boundaries differently, this class of bugs will keep coming back.

Deep dive 👇

https://coderlegion.com/16431/understanding-http-request-smuggling-beyond-the-basics

#RequestSmuggling #WebAppSec #Infosec

[Axios 라이브러리의 헤더 주입(CRLF)을 악용한 클라우드 서버 권한 탈취 취약점

Axios 라이브러리(1.14.1, 0.30.4 버전)의 **헤더 주입(CRLF) 취약점**이 발견되었습니다. 이 취약점을 악용하면 해커가 **Axios 단독이 아닌 다른 라이브러리의 프로토타입 오염 취약점과 연계**하여 **요청 밀반입(Request Smuggling)**을 통해 클라우드 서버의 **AWS 메타데이터 서비스(IMDSv2)를 우회**하고, **IAM 자격 증명 탈취**로 관리자 권한을 탈취할 수 있습니다. 공격은 **Axios가 헤더의 줄바꿈 문자를 필터링하지 못하는 데서 기인**하며, 클라우드 환경에서 치명적인 영향을 미칠 수 있습니다.

https://news.hada.io/topic?id=28503

#axios #crlfinjection #cloudsecurity #requestsmuggling #awsimdsv2

Funky Chunks: Abusing Chunk Line Terminators for Request Smuggling

Investigates ambiguous chunk-line terminators enabling HTTP request smuggling via non-standard chunk parsing.

https://w4ke.info/2025/06/18/funky-chunks.html

#RequestSmuggling #HTTPParsing

Had a very interesting vuln disclosure experience today. I found a pre-auth RCE in F5-BIGIP admin panels (yes...the same one that's had RCE issues for years - there's more) with my coworker Thomas Hendrickson.

We went to report to F5 at the beginning of the month and had some back and forth with them over the disclosure timeline. We're not in a rush, we figured it would take a month or two to disclose, but they wanted to publish it in February 2024. That's a long time to wait for a pre-auth RCE bug, so we asked for it to be sooner, but with 48 hours notice so we could coordinate with our customers appropriately. They said they were fine with that.

Then last night at 8PM ET, we get an email that they're dropping the advisory + hotfix in 16 hours. We asked why and were told "we believe this vulnerability is now known outside of F5 and Praetorian thus forcing our hands at an immediate disclosure". The advisory was published a few hours ago - https://my.f5.com/manage/s/article/K000137353. No patch, but there's a hotfix you can run on some versions of F5s. A few versions have been marked as "will not fix", so this is a permanent way to pop them.

Simultaneously, a blog post that we referenced heavily for AJP Request Smuggling disappeared off the internet (the author locked every post they'd made since 2016). The posts were live 10 days or so ago.

It's likely all a huge coincidence - but regardless, if you want to read about a bug-chain to pop internet exposed F5 Management Panels or learn about AJP Request Smuggling, take a look over at https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/.

Once the patch has had a little bit of time to be applied, we'll drop the rest of the technical information about the bug.

If anyone here is aware of this being exploited in the wild, I'd love to hear about it. Tagging a few folks who are a bit more in the know (apologies if this is spammy, but I'm curious).

On the IoC side it's a bit tricky because the bug relies on abusing a bug in Apache, so I have no idea what it actually looks like in the logs. The raw request will have "Transfer-Encoding: <a valid value>, chunked" as one of the headers. For example "Transfer-Encoding: gzip, chunked" or "Transfer-Encoding: chunked, chunked".

I know it's no #citrixbleed, but this is a pretty bad bug if you're one of the thousands of orgs that still has an F5 config panel on the internet.

@GossiTheDog
@greynoise

#f5 #rce #vr #requestSmuggling #ajp #disclosure