Bezpieczeństwo aplikacji webowych - rozdział 2

1. Hypertext Transfer Protocol Version 2 (HTTP/2), https://tools.ietf.org/html/rfc7540

2. Hypertext Transfer Protocol Version 3 (HTTP/3), https://quicwg.org/base-drafts/draft-ietf-quic-http.html

3. Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing, https://tools.ietf.org/html/rfc7230. W kontekście protokołu HTTP warto też spojrzeć na zbiorcze zestawienia specyfikacji: HTTP Documentation, https://httpwg.org/specs/ i: HTTP resources and specifications, https://developer.mozilla.org/en-US/docs/Web/HTTP/Resources_and_specifications

4. Simple Service Discovery Protocol [w:] Wikipedia, the free encyclopedia, https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

5. CRLF [w:] Wikipedia, wolna encyklopedia, https://pl.wikipedia.org/wiki/CRLF. Por. też wpis w komentarzach: Kto zaproponuje jakieś zgrabne tłumaczenie CRLF? [29.01.2019], https://www.facebook.com/sekurak/posts/2954887951204013

6. Hypertext Transfer Protocol -- HTTP/1.1…: rozdz. 5.1.1 Method, https://tools.ietf.org/html/rfc2616#section-5.1.1

7. Hypertext Transfer Protocol (HTTP) Method Registry, https://www.iana.org/assignments/http-methods/http-methods.xhtml

8. Uniform Resource Locators (URL), https://tools.ietf.org/html/rfc1738

9. Dotyczących również protokołu HTTP, zob. np.: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing, https://tools.ietf.org/html/rfc7230

10. Uniform Resource Identifier (URI): Generic Syntax, https://tools.ietf.org/html/rfc3986

11. Report from the Joint W3C/IETF URI Planning Interest Group: Uniform Resource Identifiers (URIs), URLs, and Uniform Resource Names (URNs): Clarifications and Recommendations, https://tools.ietf.org/html/rfc3305

12. Przykład można znaleźć w: Kettle J., Cracking the lens: targeting HTTP's hidden attack-surface, rozdz. Host overriding, https://portswigger.net/blog/cracking-the-lens-targeting-https-hidden-attack-surface

13. Przykłady tego typu żądań można zobaczyć tutaj: inf0seq, Directory Traversal in Axway File Transfer Direct, https://inf0seq.github.io/cve/2019/01/20/Directory-Traversal-in-Axway-File-Transfer-Direct.html, oraz: Regel J., [CVE-2017-7240] Miele Professional PG 8528 – Web Server Directory Traversal, https://seclists.org/fulldisclosure/2017/Mar/63

14. Krawaczyński P., Nagłówek X-Forwarded-For – problemy bezpieczeństwa…, https://sekurak.pl/naglowek-x-forwarded-for-problemy-bezpieczenstwa/

15. Bentkowski M., Jak w prosty sposób zwiększyć bezpieczeństwo aplikacji webowej, https://sekurak.pl/jak-w-prosty-sposob-zwiekszyc-bezpieczenstwo-aplikacji-webowej/

16. Wnękowicz M., Czy SSL szyfruje URL-e?, https://sekurak.pl/czy-ssl-szyfruje-url-e/

17. Zob. też: Referer header: privacy and security concerns, https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

18. Zob. Abma J. (jobert), Unauthenticated blind SSRF in OAuth Jira authorization controller, https://hackerone.com/reports/398799

19. Zob. np.: O’Brien M. (mobsense), Null dereference for invalid Host and If-Modified-* headers, https://github.com/embedthis/appweb/issues/605

20. Zob. Cable J. (cablej), Password reset link Injection allows redirect to malicious URL, https://hackerone.com/reports/281575; Cable J. (cablej), Don't Trust the Host Header for Sending Password Reset Emails, https://lightningsecurity.io/blog/host-header-injection/; Golunsky D., CVE-2017-8295: WordPress 2.3-4.8.3 Unauthorized Password Reset/Host Header Injection Vulnerability Exploit, https://www.vulnspy.com/en-cve-2017-8295-unauthorized-password-reset-vulnerability/; Corben L. (cdl), Password Reset link hijacking via Host Header Poisoning, https://hackerone.com/reports/226659.

21. Zob. np.: stbuehler, Rewizja df8e4f95, https://redmine.lighttpd.net/projects/lighttpd/repository/revisions/df8e4f95614e476276a55e34da2aa8b00b1148e9; Spek van der O., Crash on duplicated headers with folding, https://download.lighttpd.net/lighttpd/security/lighttpd_sa2007_03.txt; Vulnerability Details: CVE-2017-5660, https://www.cvedetails.com/cve/CVE-2017-5660/

22. Domena: labs.data.gov, zob. harisec, SQL Injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent, https://hackerone.com/reports/297478

23. Więcej informacji można uzyskać np. tutaj: mpgn, CVE-2019-5418 – File Content Disclosure on Rails, https://github.com/mpgn/CVE-2019-5418, oraz Patterson A., [CVE-2019-5418] File Content Disclosure in Action View, https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

24. Zob. Uniform Resource Identifier (URI): Generic Syntax, https://tools.ietf.org/html/rfc3986

25. Zob. Montpas M.-A., Content Injection Vulnerability in WordPress, https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

26. Zob. Dalili S. WAF Bypass Techniques – Using HTTP Standard and Web Servers’ Behaviour, https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour

27. Atvise WebMI2ADS Negative Content Length Vulnerability, https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=4902&signatureSubId=0

28. Zob. podatność w module mod_proxy serwer HTTP Apache: CVE-2004-0492: Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31, http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0492

29. Kettle J., HTTP Desync Attacks: Request Smuggling Reborn, https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn

30. Więcej o ograniczniku można poczytać tutaj: MIME (Multipurpose Internet Mail Extensions) Part One: Mechanisms for Specifying and Describing the Format of Internet Message Bodies, https://tools.ietf.org/html/rfc1521

31. Dalili S., WAF Bypass Techniques…, https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour

32. Sajdak M., Banalny exploit na Drupala – można przejąć serwer bez uwierzytelnienia, https://sekurak.pl/banalny-exploit-na-drupala-mozna-przejac-serwer-bez-uwierzytelnienia/ Zob. też: Fol Ch., Exploiting Drupal8's REST RCE (SA-CORE-2019-003, CVE-2019-6340), https://www.ambionics.io/blog/drupal8-rce

33. Zob. Sajdak M., Kontrowersje wokół zapisywania cookies, https://sekurak.pl/kontrowersje-wokol-cookies/

34. Zob. np.: Cimpanu C., Vulnerability exposes location of thousands of malware C&C servers, https://www.zdnet.com/article/vulnerability-exposes-location-of-thousands-of-malware-c-c-servers/