Comment by booi

Comment by booi 6 hours ago

6 replies

View on Hacker News

Where would this happen? I have never seen an API reflect a secret back but I guess it's possible? perhaps some sort of token creation endpoint?

ptx 6 hours ago

How does the API know that it's a secret, though? That's what's not clear to me from the blog post. Can I e.g. create a customer named PLACEHOLDER and get a customer actually named SECRET?

Reply View 1 reply
  • adastra22 8 minutes ago

    This blog post is very clearly AI generated, so I’m not sure it knows either.

    Reply View 0 replies
mananaysiempre 5 hours ago

Say, an endpoint tries to be helpful and responds with “no such user: foo” instead of “no such user”. Or, as a sibling comment suggests, any create-with-properties or set-property endpoint paired with a get-propety one also means game over.

Relatedly, a common exploitation target for black-hat SEO and even XSS is search pages that echo back the user’s search request.

Reply View 0 replies
tptacek 5 hours ago

It depends on where you allow the substitution to occur in the request. It's basically "the big bug class" you have to watch out for in this design.

Reply View 0 replies
Tepix 6 hours ago

HTTP Header Injection or HTTP Response Splitting is a thing.

Reply View 0 replies