You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Time based signatures are used for the session cookies. Statically forged ones are invalidated almost immediately. This template requires a method for implementing the Flask-Unsign python module or something similar.
Database payloads for the cluster bomb are excessive. If the forged session token is valid and used for a nonexistent database the response is a 404 versus a 401 if the session token is invalid.
The text was updated successfully, but these errors were encountered:
I was able to develop a working solution that verifies the signature on the initial cookie and correctly signs the forged cookie. I am working through my employer's open source contribution process to get approval to submit it.
I was able to develop a working solution that verifies the signature on the initial cookie and correctly signs the forged cookie. I am working through my employer's open source contribution process to get approval to submit it.
Static session cookies will result in false negative results.
Nuclei Version: 3.2.2
Template file: http/cves/2023/CVE-2023-27524.yaml
Command to reproduce:
docker run projectdiscovery/nuclei:v3.2.2 -u http://x.x.x.x:8088 -t http/cves/2023/CVE-2023-27524.yaml
target used:
docker run -d --name superset -e SUP_SECRET_KEY=CHANGE_ME_TO_A_COMPLEX_SECRET -p 8088:8088 tylerfowler/superset
Issues:
The text was updated successfully, but these errors were encountered: