Antoine Roly
@aroly.bsky.social
Hacker, Bug Bounty Hunter, Pentester,...
From Namur, BE.
From Namur, BE.
September 26, 2025 at 4:03 PM
Thanks for the tip !
I'm slowly making progress. For now I can redirect users to arbitrary URLs by poisoning the queue like you showed in your paper.
Stealing other people's responses would be much cooler though :)
I'm slowly making progress. For now I can redirect users to arbitrary URLs by poisoning the queue like you showed in your paper.
Stealing other people's responses would be much cooler though :)
May 28, 2025 at 12:47 PM
Thanks for the tip !
I'm slowly making progress. For now I can redirect users to arbitrary URLs by poisoning the queue like you showed in your paper.
Stealing other people's responses would be much cooler though :)
I'm slowly making progress. For now I can redirect users to arbitrary URLs by poisoning the queue like you showed in your paper.
Stealing other people's responses would be much cooler though :)
No clue if this will be exploitable, but it's at least interesting: when I add an incorrect "X-Forwarded-Port" header using HTTP Request Splitting (CRLF injection with Nginx proxy), I trigger a HTTP 400 and I can then tunnel other HTTP1 requests to the backend. Poke @t0xodile.com for the tunneling
May 28, 2025 at 6:51 AM
No clue if this will be exploitable, but it's at least interesting: when I add an incorrect "X-Forwarded-Port" header using HTTP Request Splitting (CRLF injection with Nginx proxy), I trigger a HTTP 400 and I can then tunnel other HTTP1 requests to the backend. Poke @t0xodile.com for the tunneling
I often end up testing weird things, but my current test is so weird that @burpsuite.bsky.social can't even handle in propery if I use the Repeater custom action 😅
May 27, 2025 at 1:04 PM
I often end up testing weird things, but my current test is so weird that @burpsuite.bsky.social can't even handle in propery if I use the Repeater custom action 😅
First one on @yeswehack.bsky.social :)
May 27, 2025 at 12:50 PM
First one on @yeswehack.bsky.social :)
I'm a big fan of these issues, but I always struggle to actually exploit them 😅
May 15, 2025 at 9:01 AM
I'm a big fan of these issues, but I always struggle to actually exploit them 😅
May 13, 2025 at 11:49 AM
Yep, really weird... This HTTP 504 comes from Cloudflare when I add a Content-Length header using Nginx "CRLF injection" / Request Splitting. The other responses seem to come from the origin server. 🤔😅
But I can't get a valid response unfortunately...
But I can't get a valid response unfortunately...
May 2, 2025 at 6:42 PM
Yep, really weird... This HTTP 504 comes from Cloudflare when I add a Content-Length header using Nginx "CRLF injection" / Request Splitting. The other responses seem to come from the origin server. 🤔😅
But I can't get a valid response unfortunately...
But I can't get a valid response unfortunately...
When the same HTTP request gets you 3 different response code, you known something is weird...
And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.
And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.
May 2, 2025 at 2:49 PM
When the same HTTP request gets you 3 different response code, you known something is weird...
And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.
And thanks @jameskettle.com for the race condition custom action, it's really convenient to have it directly in Repeater.
Bug bounty programs:
- only use your own accounts to test,
- create multiple accounts to test for access control issues,
- use your bug bounty platform email otherwise you're not elligible for a bounty.
Also bug bounty program:
- only use your own accounts to test,
- create multiple accounts to test for access control issues,
- use your bug bounty platform email otherwise you're not elligible for a bounty.
Also bug bounty program:
April 30, 2025 at 9:06 AM
Bug bounty programs:
- only use your own accounts to test,
- create multiple accounts to test for access control issues,
- use your bug bounty platform email otherwise you're not elligible for a bounty.
Also bug bounty program:
- only use your own accounts to test,
- create multiple accounts to test for access control issues,
- use your bug bounty platform email otherwise you're not elligible for a bounty.
Also bug bounty program:
When you test a path traversal in a parameter, and you get a HTML error response in a JSON message :)
April 29, 2025 at 7:23 PM
When you test a path traversal in a parameter, and you get a HTML error response in a JSON message :)
@lesoir.be Votre stagiaire a laissé une coquille :)
April 12, 2025 at 7:05 AM
@lesoir.be Votre stagiaire a laissé une coquille :)
Un incendie très rare ?
March 27, 2025 at 5:02 PM
Un incendie très rare ?
Ouais bon... Sur le principe, pq pas, mais c'est pas vraiment développé quoi :D
March 7, 2025 at 2:26 PM
Ouais bon... Sur le principe, pq pas, mais c'est pas vraiment développé quoi :D
As a fan of server side issues in webapps, and having played a bit with "HTTP request splitting" lately, I'm really a big fan of "Http Garden" !
It's so cool to be able test things locally, and see the result of proxying weird chars in HTTP requests.
It's so cool to be able test things locally, and see the result of proxying weird chars in HTTP requests.
February 26, 2025 at 9:48 AM
As a fan of server side issues in webapps, and having played a bit with "HTTP request splitting" lately, I'm really a big fan of "Http Garden" !
It's so cool to be able test things locally, and see the result of proxying weird chars in HTTP requests.
It's so cool to be able test things locally, and see the result of proxying weird chars in HTTP requests.
I should make a thread of all the weird things I ran into while hunting. It's not really useful, but I like these "What the hell ?!?" moments :)
This one returns the page code when I do a POST on this aspx endpoint.
This one returns the page code when I do a POST on this aspx endpoint.
February 25, 2025 at 12:33 PM
I should make a thread of all the weird things I ran into while hunting. It's not really useful, but I like these "What the hell ?!?" moments :)
This one returns the page code when I do a POST on this aspx endpoint.
This one returns the page code when I do a POST on this aspx endpoint.
When you see this, but can't exploit it...
February 22, 2025 at 9:23 AM
When you see this, but can't exploit it...
February 7, 2025 at 2:39 PM
Another weird one... On this host, all the OPTIONS responses are sent back with all the request's HTTP headers. Probably nothing to do with this, but... why ?
January 31, 2025 at 7:43 AM
Another weird one... On this host, all the OPTIONS responses are sent back with all the request's HTTP headers. Probably nothing to do with this, but... why ?
... and he just tried to visit my VPS. Alléluia.
January 27, 2025 at 11:29 AM
... and he just tried to visit my VPS. Alléluia.
This occurs 9 times out of 10. @hacker0x01.bsky.social you should really do something about it...
January 21, 2025 at 7:28 AM
This occurs 9 times out of 10. @hacker0x01.bsky.social you should really do something about it...
By injecting CRLF characters in the URL, I'm able to split the request at the GCP level and inject a different "Host" header for Cloudflare. I then just have to provide my own Cloudflare "Host" header to fetch the content from my server instead of the expected one.
January 17, 2025 at 9:43 AM
By injecting CRLF characters in the URL, I'm able to split the request at the GCP level and inject a different "Host" header for Cloudflare. I then just have to provide my own Cloudflare "Host" header to fetch the content from my server instead of the expected one.