Breaking Parser Logic - Take Your Path Normalization Off and Pop 0days Out

Explore a groundbreaking exploit technique that unveils a new attack surface for defeating path normalization in this Black Hat conference talk. Delve into the complexities of path normalization implementation, often underestimated by developers, and discover how this oversight creates lethal and widely applicable vulnerabilities. Learn about polyglot URL paths, off-by-slash failures, and real-world case studies involving Spring, Rails, Uber, and Amazon. Examine inconsistencies leading to ACL bypasses, misconfigurations resulting in authentication bypasses, and log injections enabling remote code execution. Gain insights into mitigation strategies and understand the far-reaching implications of this innovative attack vector presented by security researcher Orange Tsai.

Intro
Orange Tsai
Agenda
Polyglot URL path
Why path normalization
Can you spot the vulnerability?
Nginx off-by-slash fail
How to find this problem?
Spring Oday - CVE-2018-1271
Bonus on Spark framework
Rails Oday - CVE-2018-3760
For the RCE lover
URL path parameter
When reverse proxy meets...
How danger it could be?
Am I affected by this vuln?
Uber bounty case
Bynder RCE case study
Inconsistency to ACL bypass
Misconfiguration to auth bypass
Log injection to RCE
Amazon RCE case study
Path normalization bug leads to ACL bypass
Seam Feature
Code reuse bug leads to Expression Language injection
EL blacklist bypassed leads to Remote Code Execution
Chain all together
Mitigation
Summary
Reference