Amin Nasiri

@0xnxenon

Fan of reading RFCs and interested in playing with different versions of HTTP and web-related protocols & also inductive reasoning; a Hitchhiker when I am AFK

Germany

aminnasiri.com

Joined February 2019

154Posts 426Followers 172Following

You might like

@NikoueiMohammad

@MrMSA16

@thelilnix

@Seyed_Mojtaba97

@OnlyEnZ404

@__seyyid__

@YasharHacker1

@SoloGeekk

@VC0D3R

@Rezza_Olfat

@xiqxaraas

@3ud0m0nk3y

@R00TDR

@Lo_oLo_oFAR

Pinned

Amin Nasiri

@0xnxenon

Aug 13, 2024

I have added some features to get time of the responses in nano seconds on h2spacex library and also enhanced Single Packet Attack method. Now you can exploit the timing attacks 🔥⏱️ github.com/nxenon/h2spacex

0xnxenon's tweet card. HTTP/2 Last Frame Synchronization (also known as Single Packet Attack) low Level Library / Tool based on Scapy‌ + Exploit Timing Attacks - nxenon/h2spacex

GitHub - nxenon/h2spacex: HTTP/2 Last Frame Synchronization (also known as Single Packet Attack)...

Source: github.com

James Kettle

@albinowax

Aug 7, 2024

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

albinowax's tweet card. Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this paper, I'll unleash novel attack concepts to coax out server secrets

Listen to the whispers: web timing attacks that actually work

Source: portswigger.net

Amin Nasiri reposted

James Kettle

@albinowax

Jun 10

I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

albinowax's tweet image. I'm thrilled to announce "HTTP/1 Must Die! The Desync Endgame" is coming to #DEFCON33! This talk will feature multiple new classes of desync attack, mass exploitation spanning multiple CDNs, and over $200k in bug bounties. See you there!

Amin Nasiri

@0xnxenon

Feb 24

I have added application/grpc-web+proto support in my extension. Now you can encode/decode these content-types automatically: - application/grpc-web-text - application/grpc-web+proto github.com/nxenon/grpc-pe… #burp #burp_extension #grpc_web #grpc_web_pentest

0xnxenon's tweet image. I have added application/grpc-web+proto support in my extension. Now you can encode/decode these content-types automatically:
- application/grpc-web-text
- application/grpc-web+proto

github.com/nxenon/grpc-pe…

#burp #burp_extension #grpc_web #grpc_web_pentest

Amin Nasiri

@0xnxenon

Nov 19

I also have an account on Blue Sky, drop me a follow if you are there too bsky.app/profile/nxenon…

Amin Nasiri reposted

d4d

@zakfedotkin

Nov 7, 2024

You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):

$zakfedotkin's tweet image. You can bypass path-based WAF restrictions by appending raw/unencoded non-printable and extended-ASCII characters like \x09 (Spring), \xA0 (Express), and \x1C-1F (Flask):$

Amin Nasiri reposted

d3fp4r4m

@defparam

Aug 13, 2024

You can wrap @0xnxenon's h2xspacex library pretty quickly in python to perform timing-related SPA tests. Here's a scoped-SSRF detection using that detects DNS behavior changing between 60 and 70 chars of the host header as explained in @albinowax's presentation

defparam's tweet image. You can wrap @0xnxenon's h2xspacex library pretty quickly in python to perform timing-related SPA tests. Here's a scoped-SSRF detection using that detects DNS behavior changing between 60 and 70 chars of the host header as explained in @albinowax's presentation

Amin Nasiri

@0xnxenon

Aug 13, 2024

GitHub - nxenon/h2spacex: HTTP/2 Last Frame Synchronization (also known as Single Packet Attack)...

Source: github.com

Amin Nasiri reposted

James Kettle

@albinowax

Aug 7, 2024

The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

Listen to the whispers: web timing attacks that actually work

Source: portswigger.net

Amin Nasiri reposted

RyotaK

@ryotkak

Aug 2, 2024

I recently developed and posted about a technique called "First sequence sync", expanding @albinowax's single packet attack. This technique allowed me to send 10,000 requests in 166ms, which breaks the packet size limitation of the single packet attack. flatt.tech/research/posts…

ryotkak's tweet card. Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at Flatt Security Inc. In 2023, James Kettle of PortSwigger published an excellent paper titled Smashing the state machine: the true...

Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking...

Source: flatt.tech

Amin Nasiri reposted

LiveOverflow 🔴

@LiveOverflow

Jul 28, 2024

I love the debate around storing JWTs in localStorage

Amin Nasiri reposted

James Kettle

@albinowax

Jul 18, 2024

When researching request smuggling, I decided that TE.0 would never be exploitable because it requires the back-end server to accept a HTTP request starting with a number + newline.... and no server would be that crazy 🤦‍♂️ Awesome work! Never under-estimate the crazy.

sw33tLie

@sw33tLie

Jul 17, 2024

This is one of the most widespread and impactful bugs I've ever found in my career. Great collab with @bsysop and @_medusa_1_ Smugglings are still out there—stay vigilant! #bugbounty @Bugcrowd bugcrowd.com/blog/unveiling…

sw33tLie's tweet image. This is one of the most widespread and impactful bugs I've ever found in my career. Great collab with @bsysop and @_medusa_1_

Smugglings are still out there—stay vigilant! #bugbounty @Bugcrowd

bugcrowd.com/blog/unveiling…

Amin Nasiri reposted

Gareth Heyes \u2028

@garethheyes

Jun 20, 2024

Lovely to see the Email RFCs abused to embed a command injection payload in the local-part of the address! Nice work Michael Imfeld & @parzel2 modzero.com/en/blog/beyond…

Amin Nasiri

@0xnxenon

May 8, 2024

Does Burp have plan to support HTTP/3 and quic @albinowax @Burp_Suite ? I think many websites now use HTTP/3 and hackers also need to upgrade their tools to hack the applications using H3 too.

Amin Nasiri reposted

James Kettle

@albinowax

Apr 24, 2024

Turbo Intruder doesn't support the single-packet attack when run via the command line, since it leans on Burp Suite's network stack for HTTP/2 (I did code a native HTTP/2 stack for TI but it's really flaky). h2spacex is perfect for the standalone exploit use case.

Amin Nasiri

@0xnxenon

Apr 20, 2024

Nice to know that UDP + (one protocol on it) can be as expensive as TCP (not from networking perspective), because of context switch between user space and the OS

Amin Nasiri

@0xnxenon

Apr 7, 2024

For pentesting application/grpc-web+proto Content-Type see this short article: medium.com/@nxenon/hackin…

medium.com

Hacking into gRPC-Web : Part 2

Manipulating application/grpc-web+proto Content-Type

Source: medium.com

Amin Nasiri

@0xnxenon

Apr 4, 2024

DOS in HTTP/2 implementations: According to my interest in HTTP/2 protocol and its attack like Rapid Reset Attack and Single Packet Attack, I would say that you have to read this too. Nice Job from Bartek.

Bartek Nowotarski

@bartn_

Apr 3, 2024

The case I've been working in 2024.Q1: The CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. A single TCP connection can lead to server crash. Check the advisory at: nowotarski.info/http2-continua…