Strongly aggree x3

You'd think they would have reported it after the competition 😬

Yeah, I'm worried that the other teams might've found a different exploit and didn't report it yet.

Yea, would be interested to know what the fix is. I doubt this is the only header manipulation code that might be vulnerable.

@@almightyhydra Is there any time when detecting more than one header is ok? What if you just terminate if more than one is found?

@@guiorgy Couldn't the injected header still just be read first? I feel like the real issue is that batch requests is relying on a supplied IP address that can be forged as localhost.

Idk, why would the plugin need proxy support if the host expects requests only from localhost?

​@@almightyhydra Here's the pull request for the fix: github.com/apache/apisix/pull/6251/files All they did was call str_lower() on the "x-real-ip" header field name. If I understand it correctly overwriting the header happens in nginx. Likely due to the already mentioned reason of enumerating a hashmap in a random order. RFC 7230 ( www.rfc-editor.org/rfc/rfc7230#section-3.2 ): Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

Super useful when you want to root that pesky device. There's always a fucking webserver and it's apache running PHP. I love shitty technologies, it means I can always POWN my hardware.

@@monad_tcp what kinds of devices are you talking about?

@@FrozenFire1997 smart TVs for example

@@monad_tcp This isn't the apache web server though. It's APISIX, which is not the same software (and in the video it's running on nginx anyway)

Nope

it's a case of hard work over talent

Yeah that's very questionable

Man.. this got me thinking, should I stack the vulnerabilities I find before reporting, and just create a prized challenge? lol. Maybe if the service is containerised I can report it first and use the old containers for the challenge, but then hmm that's impossible since people will just look for changes in the patch. How are real world CTFs actually done?

Yeah it does violate the spirit of the ethical hacking CTFs

@@dennydravis8758 yeah just did a masscan and there are a lot of those not updated yet. executing cross-compiled botnet binary on them for monero mining.

@@damiannowak3811 i hope you're capping because otherwise you just admitted to a crime in public?

@@aescling "in public" settle down buddy, nobody is catching him 💀

@@damiannowak3811 already took skid lol

that's the difference between a hacker and a scriptkiddie.

Funny but also pretty sad. It's honestly pretty shocking and irresponsible that the organizers didn't do it themselves.

@@1vader the organizers probably had a different vulnerability in mind, there's a chance that these guys found something entirely new.

Isn't that markdown? in source files you often find numbered lists with all the points as 1. for easier reordering, because markdown rendering does NOT use the numbers in the document for the resulting list, it's simply that you have a number in front of every line, and then the marker starts at 1 and counts up for each entry. This can be somewhat confusing when viewing the document as plaintext, but it also isn't plaintext and shouldn't be viewed like that, so it's not a huge issue for most people.

This isn't Ed Sheeran.

@@31redorange08 thats literally him check his instagram

I think in this setting any solution would qualify as a 0day, since the challenge involved RCE and was meant to work on the latest version.

pretty sure there was another exploit.

looks like Solarized Dark

Most security vulnerabilities aren’t unique. A lot of them even make it to OWASP top 10 list :) I wouldn’t be surprised at all if there’s 100 different pieces of software out there somewhere that have this exact _kind_ of vulnerability.

Do you know of other stupid gateways that let you dynamically create remote code execution endpoints? lol

@@ThisIsTheInternet there are countless of these api gateways yeah. It is pretty common in stuff like cloud. Serverless also kinda is a framework doing something like this. So is aws lambda kinda. Both not exactly like this but similar goals of having dynamic customer provisioned api endpoints

literally found something similar in a local community SAS

I mean, it's not super advanced stuff. I think the most technical thing was the proof of work code.

yes that was a good punch line i thought too!

why didn't you watch the previous video 🤡 haha

@@LiveOverflow damn i got hacked lol

it could be a python virtual environment, or the name of their ssh sever / docker container, or anything really.

Yup

I have read from a script since I started this channel hahha. There are only a handful of non-scripted videos. But this was the first time wearing glasses while reading of the teleprompter. Maybe I struggled a bit here? 😅

@@LiveOverflow Ahah could be the case, I've never noticed before!

@@LiveOverflow Completely fine IMO :)

Check out his video "the secret hidden guide to hacking."

Rule number 1. Have fun.

This is literally how I made CTF channel videos always. Only very very few are in a different style. Which videos were you thinking about?

I don't know what I mean lol. I guess when there was less full screen cam and more code. Don't get me wrong I love your videos!

thats the password on my luggage!