some methods bypassing apache and mod_sec with chunked requests
9 views
Skip to first unread message
mex
Jul 28, 2014, 1:55:34 AM7/28/14
to naxsi-discuss
tl;dr: if you use Transfer-Encoding: Chunked instead of
Transer-Encoding: chunked you are able to bypass
mod_security
http://martin.swende.se/blog/HTTPChunked.html
i'm gonna test this attack against naxsi/nginx
(some of the attacks are apache-related,
and post results here (if nobody had done it so far)
maybe another entry for the famous naxis vs world :D
https://github.com/nbs-system/naxsi/wiki/naxsivsobfuscated
regards,
mex
p.s.: maybe i posted about the vuln earlier, i just noticed because of
an debian-dsa
https://www.debian.org/security/2014/dsa-2991
Transer-Encoding: chunked you are able to bypass
mod_security
http://martin.swende.se/blog/HTTPChunked.html
i'm gonna test this attack against naxsi/nginx
(some of the attacks are apache-related,
and post results here (if nobody had done it so far)
maybe another entry for the famous naxis vs world :D
https://github.com/nbs-system/naxsi/wiki/naxsivsobfuscated
regards,
mex
p.s.: maybe i posted about the vuln earlier, i just noticed because of
an debian-dsa
https://www.debian.org/security/2014/dsa-2991
Reply all
Reply to author
Forward
0 new messages