Comment by booi
8 hours ago
Where would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint?
8 hours ago
Where would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint?
How does the API know that it's a secret, though? That's what's not clear to me from the blog post. Can I e.g. create a customer named PLACEHOLDER and get a customer actually named SECRET?
This blog post is very clearly AI generated, so I’m not sure it knows either.
Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over.
Relatedly, a common exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request.
It depends on where you allow the substitution to occur in the request. It's basically "the big bug class" you have to watch out for in this design.
This is effectively what happened with the BotGhost vulnerability a few months back:
https://news.ycombinator.com/item?id=44359619
HTTP Header Injection or HTTP Response Splitting is a thing.