←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 3 comments | 25 Apr 25 13:48 UTC | HN request time: 0.418s | source
Show context
0xbadcafebee ◴[25 Apr 25 14:26 UTC] No.43793927[source]
Worth noting that people here are assuming that the author's assumption is correct, that his writing /etc/hosts is causing the 403, and that this is either a consequence of security filtering, or that this combination of characters at all that's causing the failure. The only evidence he has, is he gets back a 403 forbidden to an API request when he writes certain content. There's a thousand different things that could be triggering that 403.

It's not likely to be a WAF or content scanner, because the HTTP request is using PUT (which browser forms don't use) and it's uploading the content as a JSON content-type in a JSON document. The WAF would have to specifically look for PUTs, open up the JSON document, parse it, find the sub-string in a valid string, and reject it. OR it would have to filter raw characters regardless of the HTTP operation.

Neither of those seem likely. WAFs are designed to filter on specific kinds of requests, content, and methods. A valid string in a valid JSON document uploaded by JavaScript using a JSON content-type is not an attack vector. And this problem is definitely not path traversal protection, because that is only triggered when the string is in the URL, not some random part of the content body.

replies(4): >>43794114 #>>43794131 #>>43794244 #>>43796080 #
SonOfLilit ◴[25 Apr 25 17:06 UTC] No.43796080[source]
You're being downvoted because WAFs work exactly like this, and it's intentional and their vendors think this is a good thing. A WAF vendor would say that a WAF parsing JSON makes it weaker.
replies(1): >>43796695 #
immibis ◴[25 Apr 25 18:00 UTC] No.43796695[source]
They're being downvoted because they're saying the author is incorrect when the author is actually correct.
replies(1): >>43797830 #
1. 0xbadcafebee ◴[25 Apr 25 19:44 UTC] No.43797830[source]
It's frightening that so many people are convinced the author is correct, when the author never proved they were correct.

The author just collected a bunch of correlations and then decided what the cause was. I've been doing this kind of work for many, many years. Just because it looks like it's caused by one thing, doesn't mean it is.

Correlation is not causation. That's not just a pithy quip, there's a reason why it's important to actually find causation.

replies(2): >>43797934 #>>43802083 #
2. SonOfLilit ◴[25 Apr 25 19:57 UTC] No.43797934[source]
Having had three opportunities in my life to diagnose this exact problem and then successfully resolve it by turning off the WAF rule (see my top level comment) - I don't know you or your work history, but trust me, the author is much closer to the truth here than you are.

edit: Also, someone commented here "it was an irrelevant cf WAF rule, we disabled it". Assuming honesty, seems to confirm that the author was indeed right.

3. immibis ◴[26 Apr 25 09:19 UTC] No.43802083[source]
It's more like I saw a big ball fall down and make a hole in the floor and concluded it must be heavy.