👋 Hey! I'm Bartek Nowotarski, a security researcher focusing on critical technologies: protocols, programming languages or popular open source projects. Check my latest posts below and a list of vulnerabilites I've discovered!
Exploiting authorization by nonce in WordPress plugins
Many WordPress plugins use nonces and nothing else to authorize requests. This often has a potential for exploitation to gain privilege escalation. In this article, I elaborate on WordPress security features connected to nonces and AJAX/REST requests and describe three critical vulnerabilities I’ve found in popular WordPress plugins.
HTTP/2 CONTINUATION
Flood: Technical Details
Deep technical analysis of the
CONTINUATION
Flood: a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs. A simplified security advisory and the list of affected projects can be found in: HTTP/2 CONTINUATION
Flood.
Security Implications of net/textproto.Reader
Misuse
net/textproto.Reader
should be only used with io.LimitReader
. It turns out that often this is not the case, even in Golang standard library. This caused Out Of Memory crash vulnerabilities in Golang net/http
package (CVE-2023-45290) and other open-source projects.
HTTP Chunk Extension Processing Vulnerabilities
I discovered a family of vulnerabilities in major projects including Golang, Node.js, Hyper (Rust HTTP library), and Puma (Rails HTTP library). Invalid processing of HTTP chunk extensions created an amplification vector for server reads which allowed DoS attacks caused by network bandwidth or CPU exhaustion.