Is there any working solution against large SYN Flood request?

Fighting against a large SYN Flood attack that is happening every 2 minutes repeatedly.

During attack, number of syn-rcv is between 290-550

ss -n state syn-recv sport = :80 | wc -l  

CPU 100% (htop output) enter image description here

Tried cloudflare firewall, not helping at all CSF in action, seems can’t help

backlog increased to 16K, SYN Cookies enabled… nothing helped..

Why is /cacerts request necessary in RFC 7030 Enrollment Over Secure Transport?

In RFC 7030 Enrollment Over Secure Transport (EST) https://tools.ietf.org/html/rfc7030, the /cacerts request (Section 4.1 of RFC 7030) is used by the client to request the current CA certificates. The returned certificates are added to the client’s ‘Explicit TA database’ and must be used to authenticate all future exchanges with the EST CA.

The RFC says that client is expected to make this request before performing other operations such as requesting a certificate (Section 2.1). I can understand why this is useful in the case that a client is only initialised with an ‘Implicit TA database’ (e.g., a root certificate belonging to a third party issuing CA) as they can then initialise their ‘Explicit TA database’ with the certificates belonging to the PKI they wish to enrol in (Section 4.1.3.). However I’m not clear on the benefit when the client is initialised with an Implicit TA database such as the issuing CA certificate (and corresponding certificate chain) for the CA they wish to enrol with. Perhaps it has something to do with allowing root key updates using rollover certificates (also discussed in Section 4.1.3.) but not clear on why this could not be handled as part of the /simpleenroll request. Any help clarifying the purpose of the /cacerts request would be much appreciated!

extract public key from Certificate Signing Request

Hi is there a way where we can extract public key from certificate signing request ? if so can this be done using python3 ? here is the sample csr from https://www.digicert.com/order/sample-csr.php as an example. I have some POC regarding this, please let me know the steps of extracting public key from CSR, or do I need to provide more information.

-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST----- 

Internal server error with special characters in request body – possible vulnerability?

While blackbox testing of web-application, I found some unexpected behavior. Request body of original request, sent by browser, contained post parameter like this:

user[email]=test@test.test 

After some fuzzing, application returned 500 (Internal Server Error) on queries that started by %00 (null byte), followed by characters not equal to %09, %0a (new line), %0b, %0c, %0d and %20 (space). If it is followed by one more null byte, or one of already mentioned characters, it behaves properly.

I’m pretty new to web testing, and wondered what can cause this, and is it really unexpected behavior.

I suggested this code to execute some code and sanitizing other characters like “, ‘ and others to prevent command injection, but null byte terminates string with the command, so the command goes wrong (for example, missing ‘ or ” in the command), but why it needs other character after the null byte?

Or maybe this is related to specialized functions to send mail in other languages?

Also, I thought about database processing, but it still does not make sense, why we need this characters in the end, and why new line, space and others, changes the behavior.

What could lead to this behavior, and is it worthy point to research deeper?

What does “connection” mean in context of request smuggling

I recently read about request smuggling. This is a very interesting attack that I didn’t know about. A vulnerability to this was recently discovered at Slack, disclosed responsibly and a bounty was awarded.

The linked article says:

When the front-end server forwards HTTP requests to a back-end server, it typically sends several requests over the same back-end network.

Request smuggling uses the fact that multiple requests go over one connection.

My question is: What is this connection? I’m a newbie at networking. I know that there are multiple layers to a connection: IP, TCP, SSL. Can you please explain what is the layer at which this connection exists?

Update: If someone could include an example, preferably in Python, of how one would send multiple requests on the same connection, that’d be helpful.

start proxy server on docker containers for http request from host

I have a docker container connected to a VPN, but sometimes i need to open a URL on browser for debug.

I cannot run the VPN on my host machine for security reasons, specifically i want to open the URL in my host machine and intercept request with BURP Suite, i already tried some “python proxy servers” from github to start a proxy on my docker machine and connect my host to it, without success.

Someone did something similar?. any ideas?

PD. sorry for my english. 🙂

Should I make one request for the whole web site or separated requests, which is better

Hi guys,
I've just learned that you can make just one request to the server for the whole website like a trick below:

<!doctype html><html lang="en"> #Head     #CSSfile    <body> #Navigation_main #MainContainer #Footer #JSfile </body></html>
Code (markup):

In this case, I send just one request for a simple html file to the server.
At the server, I replace a hastag like #Footer with block of code like something below:

<div id="footer">     Footer Stuffs <div>
Code (markup):

Now, I was wondering…

Should I make one request for the whole web site or separated requests, which is better

What is the use case of request signing in this mobile app?

The API of a mobile app I was testing is receiving the AWS AccessKeyId and SecretKey used for request signing from the AWS Cognito server unencrypted (apart from the regular TLS encryption). Making it possible to re-sign all requests to their AWS Lambda API, e.g. using Burp’s “AWS Signer” extension.

With this, a Man-In-The-Middle could sign all altered requests, so I wonder what the actual use case of request signing is, in this instance?

Shouldn’t the AccessKeyID and SecretKey be kept secret?

The owner of the app is telling me that this is not an issue because they are following the AWS guidelines.

Is that correct? Or are they doing something wrong?

Why would they sign the requests in the first place in their mobile app? What is the use case of signing the requests, when the ‘secrets’ for creating a signature are distributed via the same connection in clear (except TLS)?

Is this conform with best practices, when using AWS Lambda for serverless mobile app APIs? Is request signing even useful in this instance? Most apps I have tested didn’t use request signing.