riramar / desynccl0 Goto Github PK

Hey! Thanks for making this script. It is really cool. I made one myself but using python requests. I believe your script and mine both lack a safe detection method, as both scripts will detect CL.0 in a test environment but probably not on the wild. This is because the attack exploits connection reuse, and in order to detect if the app is vulnerable, the attacker needs to be the first to make the request, after sending the smuggled request (in order to be able to validate the attack). Were you able to probe this in the wild, and find any vulnerable targets? I believe both of our scripts can detect Client CL.0 attacks OK, but not server side CL.0, as in heavy traffic apps, we will probably not be the next client to make the request, after sending the smuggled one. This is why James Kettle uses Turbo Intruder for validating this attack. Please let me know if you thought about this. I am thinking of a solution in order to resolve this. Another aproach is generating an OOB interaction from the smuggled request, but this requires manual validation first.