From d446cb54e16259756f61f45b7674c689fc995215 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Tue, 11 Nov 2025 01:34:30 +0000
Subject: [PATCH] =?UTF-8?q?Add=20content=20from:=20How=20I=20Found=20the?=
 =?UTF-8?q?=20Worst=20ASP.NET=20Vulnerability=20=E2=80=94=20A=20$10K=20Bug?=
 =?UTF-8?q?=20(CV...?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../http-request-smuggling/README.md          | 63 ++++++++++++++++++-
 .../css-injection/less-code-injection.md      |  7 ++-
 2 files changed, 67 insertions(+), 3 deletions(-)

diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md
index 015ddc3df2e..662082d69ed 100644
--- a/src/pentesting-web/http-request-smuggling/README.md
+++ b/src/pentesting-web/http-request-smuggling/README.md
@@ -814,6 +814,63 @@ browser-http-request-smuggling.md
 request-smuggling-in-http-2-downgrades.md
 {{#endref}}
 
+## Chunked extension LF parsing (TERM.EXT) — Kestrel CVE-2025-55315
+
+A modern HTTP/1.1 smuggling primitive abuses discrepancies in how front-ends and back-ends parse chunked transfer-encoding extensions. Some back-ends accept a lone line feed (`\n`) inside the chunk-extension and continue scanning until a CRLF terminator, while some front-ends treat the LF as end-of-line. This TERM.EXT mismatch desynchronizes message boundaries and enables classic smuggling impacts.
+
+Protocol note
+- RFC 9112 §7.1.1: chunk-extension names are tokens.
+- RFC 9110 §5.6.2: tokens cannot contain control characters (including `\r`/`\n`). Any LF within a chunk-size line is invalid and should be rejected. Lenient parsers create FE↔BE boundary disagreement.
+
+Minimal behavior probe (lenient back-end)
+- Replace markers: [LF] = `0x0A`, [CRLF] = `\r\n`.
+
+```http
+POST /echo HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Transfer-Encoding: chunked
+
+2;ext[LF]
+xy[CRLF]
+0[CRLF]
+[CRLF]
+```
+Expected on a vulnerable back-end: the body echoed is "xy". The parser swallowed the lone LF within the extension and waited for the first CRLF to end the size line.
+
+Smuggling (TERM.EXT) with LF-terminating proxy
+When an LF-terminating proxy sits in front of a lenient back-end (e.g., vulnerable Kestrel), the same payload becomes a hop parsing discrepancy. The proxy ends the size line at LF and treats following bytes as chunk-data, while the back-end keeps scanning the extension until CRLF and then parses a second pipelined request.
+
+```http
+POST /one HTTP/1.1
+Host: app.example
+Connection: keep-alive
+Transfer-Encoding: chunked
+
+2;ext[LF]
+xx[CRLF]
+45[CRLF]
+GET /admin HTTP/1.1[CRLF]
+Host: app.example[CRLF]
+X: X[CRLF]
+0[CRLF]
+[CRLF]
+```
+Front-end view: chunk1 size=2 → data "xx"; then sees next size "45" and considers the subsequent bytes (including the attacker’s GET) as chunk data; only one visible request (/one) forwarded.
+Back-end view (lenient): the lone LF is accepted within the extension; scanning continues until the first CRLF, consuming bytes inside the attacker-crafted sequence. After extension/data processing consumes `45[CRLF]0[CRLF][CRLF]`, the following `GET /admin ...` is parsed as a second request on the same connection.
+
+Exploitation outcomes
+- Bypass front-end security controls (smuggle restricted paths/methods like /admin).
+- Request hijacking (capture the next user’s request/cookies appended to the socket).
+- Web cache poisoning and deception via hidden requests.
+
+Root cause and fix (ASP.NET Core Kestrel)
+- Root cause: `Http1ChunkedEncodingMessageBody.ParseExtension` looked only for `\r` when parsing extensions, allowing a lone `\n` to be treated as part of the extension.
+- Fix: validate for both `\r` and `\n` within extensions; reject unpaired line terminators. A temporary compatibility switch `InsecureChunkedParsing` was added but should not be enabled in production.
+
+Detection
+- Burp Suite HTTP Request Smuggler ≥3.0.2 includes probes for chunk-extension based smuggling (TERM.EXT). Enable LF-in-extension tests and confirm with the nested-response check or by disabling reuse to rule out pipelining artifacts.
+- Manual: verify echo behavior with the minimal probe, then send the smuggling payload and observe a second response being processed on the same upstream connection.
 ## Turbo intruder scripts
 
 ### CL.TE
@@ -932,6 +989,10 @@ def handleResponse(req, interesting):
 - Browser‑Powered Desync Attacks – [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)
 - PortSwigger Academy – client‑side desync – [https://portswigger.net/web-security/request-smuggling/browser/client-side-desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync)
 - [https://portswigger.net/research/http1-must-die](https://portswigger.net/research/http1-must-die)
-
+- [Praetorian – How I Found the Worst ASP.NET Vulnerability — A $10K Bug (CVE-2025-55315)](https://www.praetorian.com/blog/how-i-found-the-worst-asp-net-vulnerability-a-10k-bug-cve-2025-55315/)
+- [RFC 9112 – HTTP/1.1: Chunk extensions](https://www.rfc-editor.org/rfc/rfc9112.html#name-chunk-extensions)
+- [RFC 9110 – Field definitions: token syntax](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2)
+- [Funky Chunks (TERM.EXT background)](https://w4ke.info/2025/06/18/funky-chunks.html)
+- [Andrew Lock – Understanding the worst .NET vulnerability (CVE-2025-55315)](https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
index b9d599deb30..6d338df2b68 100644
--- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md
+++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md
@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
\ No newline at end of file
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}