Engin Kirda | writeups.xyz

Title	Vulnerabilities	Programs	Authors
Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepancies	Web Cache Poisoning CPDoS HTTP Request Smuggling Access Control Bypass	ATS Nginx HAProxy	Bahruz Jabiyev (@BahruzJabiyev) Anthony Gavazzi Kaan Onarlioglu Engin Kirda
OAuth 2.0 Redirect URI Validation Falls Short, Literally	OAuth Path Confusion Open Redirect HTTP Parameter Pollution Account Takeover	Atlassian Meta / Facebook GitHub Microsoft Yahoo! / Verizon Media LinkedIn Slack VK LINE AuthDigital (Naver) OK ORCID	Tommaso Innocenti (@Innotommy) Matteo Golinelli Kaan Onarlioglu Ali Mirheidari Bruno Crispo Engin Kirda
http: properly reject empty http header field names	HTTP Header Attack HTTP Request Smuggling Access Control Bypass	HAProxy	Bahruz Jabiyev (@BahruzJabiyev) Anthony Gavazzi Engin Kirda Kaan Onarlioglu Adi Peleg Harvey Tuch
FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies	HTTP Request Smuggling DoS	Undisclosed	Bahruz Jabiyev (@BahruzJabiyev) Steven Sprecher (@StevenSprecher) Anthony Gavazzi Tommaso Innocenti (@Innotommy) Kaan Onarlioglu Engin Kirda
Web Cache Deception Escalates!	Web Cache Deception	Undisclosed	Ali Mirheidari Matteo Golinelli Kaan Onarlioglu Engin Kirda Bruno Crispo
T-Reqs: HTTP Request Smuggling with Differential Fuzzing	HTTP Request Smuggling	Undisclosed	Bahruz Jabiyev (@BahruzJabiyev) Steven Sprecher (@StevenSprecher) Kaan Onarlioglu Engin Kirda
You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures	Password Reset Host Header Injection CSRF Account Takeover	Undisclosed	Tommaso Innocenti (@Innotommy) Ali Mirheidari Amin Kharraz (@Amin_kharaz) Bruno Crispo Engin Kirda

Page 1 of 1