https://atosh502.github.io/blog/til/2026/march/Recent content in March on Aashutosh PoudelHugoen-USCopyright © \b20\d{2}\b, Aashutosh Poudel.Wed, 25 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/http/1.1-desync-attacks/Wed, 25 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/http/1.1-desync-attacks/<ul> <li>isolation between individual http requests is fundamentally broken in http/1.1 <ul> <li>no reliable way to say when one request finishes and next request starts</li> <li>multiple ways to specify request length + requests are concatenated under single connection without delimiters</li> </ul> </li> <li><a href="https://blog.cloudflare.com/resolving-a-request-smuggling-vulnerability-in-pingora/#what-is-request-smuggling">request smuggling</a> <ul> <li>between client and application servers, request passes through multiple components such as load balancers, reverse proxies, etc.</li> <li>HTTP request parsers inconsistency: an attacker can craft a request that one component sees as complete, but the other continues to parse into a second, malicious request made on the same connection.</li> <li>the malicious request could inject headers and its URL into a subsequent valid request sent on the same connection.</li> </ul> </li> </ul> <p>Links</p>https://atosh502.github.io/blog/til/2026/march/appliedcryptography.page/Tue, 24 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/appliedcryptography.page/<ul> <li>Very interesting talk by <a href="https://nadim.computer/">Nadim Kobeissi</a> on teaching Cryptography in Post-Crisis Lebanon.</li> <li>The course syllabus, assignments, and projects are awesome.</li> <li>For students with zero crypto experience.</li> <li>Based on Joy of Cryptography (Mike Rosulek) and Serious Cryptography (Jean-Philippe Aumasson).</li> <li>&ldquo;Earning Attention, Not Assuming It&rdquo; <ul> <li>enfranchise students and earn their attention</li> </ul> </li> <li>&ldquo;Break the intimidation barrier&rdquo; <ul> <li>hard math behind cryptography is &ldquo;intimidation&rdquo;</li> <li>&ldquo;intimidation&rdquo; stemming from &ldquo;notation&rdquo;</li> <li>&ldquo;notations&rdquo; (mathematical formalisms) are scarier than the &ldquo;ideas&rdquo; they contain</li> <li>&ldquo;ideas&rdquo; are intuitive and easy to explain</li> </ul> </li> </ul> <p>Links</p>https://atosh502.github.io/blog/til/2026/march/dpop-demonstrating-proof-of-possession/Mon, 23 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/dpop-demonstrating-proof-of-possession/<ul> <li>&ldquo;bearer&rdquo; token grants access to the &ldquo;bearer&rdquo; of the token</li> <li>sender-constrained tokens to solve the problem of leaked &ldquo;bearer&rdquo; tokens</li> <li>client using a &ldquo;bearer&rdquo; token provides &ldquo;a proof&rdquo; every time it uses the token <ul> <li>&ldquo;proof&rdquo; ensures client has a secret private key</li> <li>&ldquo;proof&rdquo; is usually a JWT signed by the secret private key</li> <li>binds &ldquo;proof&rdquo; to a specific HTTP request</li> </ul> </li> <li>application layer</li> <li>no PKI required</li> </ul> <p>Links</p> <ul> <li><a href="https://auth0.com/blog/protect-your-access-tokens-with-dpop/">Protect Your Access Tokens with DPoP (Demonstrating Proof of Possession) | Auth0</a></li> <li><a href="https://www.rfc-editor.org/rfc/rfc9449.html">RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)</a></li> <li><a href="https://dpop.info/">dpop.info</a></li> </ul>