 Am I doing my thing now? Yes? Wow. It's an R being here. Hi, my name is Stök. Oh, no. Hi, my name is Fredrik Alexander. Most people actually know me more by my hackle hand than Stök. And I'm going to welcome all of you to my talk, weaponizing plain text, unscathed sequences as a forensic nightmare. And leading up to this talk, I was kind of told that you need to have this table of content that explains things that are going to happen because otherwise people get bored and really sad. But I figured that we got 281 slides to go through. So, screw that other thing and just head straight into it. Thank you. So, I spent a good of time of digging into this vulnerability class CB150 that's been dormant for the last two decades or so. And that was real fun. And that's what this talk is all about. But I used to travel the world to all these live hacking events and create educational videos on YouTube. But nowadays I fight cybercrime over at TrueSec. And I also do shit loads of incident response. So, I realized that I'm really passionate about getting log files because that's kind of the whole part of creating a good timeline. So, I figured that maybe I'm the only one, maybe some other people like log files too. So, I went on the application formerly known as Twitter and asked, are log files important? And I got a bunch of really good answers coming back. And the short answer is kind of like, yes, log files are important because logs are a vital component for maintaining application reliability, performance and security. But it also seems like the common ideas that logs don't lie, people do. And even though your log files might not lie to you, do you still trust them? And what happens if you don't? Because imagine this for a second. You are now the incident response lead of a global logistic cooperation. It's four o'clock in the morning and you're sound asleep in your bed dreaming about boats or maybe containers into docker and stuff. When you get this rude awakening call from your manager that's pissed because you got breached. And since you are the incident response lead, it's your responsibility to call up all those tired people that work in the incident response team and get those starting with collecting all the logs that you need to be able to create a timeline. You're a manager, you don't do grunt work, so you log into your big data app for 1,000 and since you're professional, you log shipped stuff already so you export the data, save it into a local file called everything.log. You're happy. But just to verify that you got any data in there, you decided that maybe I should just cat the file and see what's in there. In the beginning, everything was great. It contains the things that you wanted but then suddenly out of nowhere, boom! You're getting an ad for a restoring service and they're nice enough to provide you with a calculator so you can do the math for how much it costs you. And that's kind of the situation where you're starting to realize that shit. And the reason for all this is it has to do with ANSI escape sequences and what got me all into this is this CVE here. And I was just going to read this straight out from my monitor because I didn't remember it all. Effective version of this package are vulnerable to arbitrary code injection. There we are interested, right? This is a possible shell escape sequence injection vulnerability in racks, lint and common logger components. Carefully crafted requests can cause shell escape sequences to be written to the terminal via racks, lint, middleware and common logger. Middleware, okay? These escape sequences can be leveraged to possibly execute commands in the victim's terminal. What do you got here with me? Excuse me, tiny sterk. What do you mean possibly? Either you cannot run arbitrary commands, right? Yeah. Thank you for that giant sterk for pitching in and helping out here in the presentation. Well, you're actually right. It depends, but it apparently depends on the terminal that you're using. And there's a shitload of different terminals out there today. And some of them come built into the software that you're using like BS code and Docker. Then you have like third-party stuff like iterm, kitty and other ones and stuff that people built on their own. They have the ones that get shipped within your operational system like Windows terminal, terminal.app, GNOME, VTE and other stuff. And then you've got all the stuff like external. So we also got this when we're in the cloud. Maybe you don't know this, but if you're going to try to use like a digital ocean to connect to your droplet or you're going to do some recovery console stuff, that is actually like an X term thingy connecting to that over TTYU, able to interact with it. It's a terminal. And I wasn't really interested in the possibly part. I wanted to execute commands in the victim terminals, but I had no idea where to begin. It sounded cool. So I did everything that every self-respecting researcher do. I googled what ANSI escape codes were. I had no idea. And I quickly realized that people actually like to customize their terminals in the weirdest kind of ways, especially if you're using ARC. And this is the thing that got me interested. Like, oh, cool. You can change colors and stuff. But I also realized that in 1978, the Gilstrand boys dropped their banger album. We're going to have some fun tonight. But even though it would release the same year, the VT100 terminal, and connecting that using serial cables to a big VAX system, it's probably not what those guys thought would be fun to do on a Saturday night, even though I personally would think that was kind of cool. But I also realized that ANSI escape sequences are the shit that puts stuff on your terminal that you look at. And it can do stuff like you can move the cursor around, you can remap the keys using these, and you can actually print stuff. Interesting. But you can also build whole UIs. Like, all this UI here is built in ANSI escape codes. Positioning of stuff, colors and output and all that, refreshing, clear screens. All that part of something called the control secrets and standards. This is a standard for X-Term and it's vast and it's super hard to understand. I know you're all super smart. I wasn't. So I'm going to go through the basics with you. And the first time I started looking into the documentation, it said CSIPM character attribute something, something. No idea what that meant. But it's this. So all it actually is is printing out something that turns into green. Cool. And the reason why this works is due to this funny thing here called the escape character. That's important to remember. And it's also non-visible escape character. And it comes in many shapes and forms because the reason why they didn't print out exactly the command is because it depends if you're using octal, hex, unicode, decimal, or ASCII. All of these are the same sequence. It's different kind of ways to portrait it. And I also realized that bash likes octal, Python likes hex, Java and JavaScript likes unicode and PowerShell likes decimal for some reason. And this escape character here is the one that starts the whole sequence. It needs to start with that. Then we have this control sequence introducer, which tells the terminal to do shit. Next one is the parameter, the number. So we'll go 32, which is green here. M is to change whatever continues output turning that into green, which is the string we have here. And then we're just going to close it off with another escape character, another control sequence introducer. And this is the important part. Here we do zero, M. And that means we're resetting the terminal back. Because if you don't do that, apparently this is going to happen. The rest of your shit is going to be all green. Hulk smash. But we need to terminate this using a string terminator or bell character. If you're like me and you accidentally kind of like grep something, you know, money say, and then your terminal starts like ding, ding, ding, ding, ding, ding. That is it being interpreted as the bell character. So we got escape sequence as being shoved in there. So I thought, okay, cool, that's fun. I can put color someone's screen. Fancy. What happens if I put that in something called a bad log and see what happens, and then interact with it. Well, if I'm using Vim, it's going to show the exact what the escape character is. It's this one here. And that's cool because rendering, it just shows it. Say for nano, if you're using that, you're cool. And if you're using a browser, instead it's going to show it as Unicode. So that's also interesting to know. It's getting interpreted differently depending on the system you're using. But if you cut it, colors are going to get displayed. Grip, tail, or get the same thing. Even if you curl it, boom, fun stuff's going to happen. Because all these systems interpret the sequence and renders it. And at this stage when I ran this through curl, I'm like, shit, what just happened? What just happened? And I started to think, where can I stuff this? Where that would interact with other people's stuff? So I figured why not do it in a text record? Because DNS is always the source for all e-bill. So I put it in there. And I ran this look up on it on OSX. Nothing happened. And you can see here, the extra slash in front of it means that it's escaped. It's beautifully escaped. This is a real good thing. If you're doing it on Windows, though, it's a different kind of story. So it depends on what kind of OS you're using. Big ups to David for showing that. That was real cool. So I was starting to ask myself, okay, cool, that's fun. But is this even a security issue? Seriously? So this kind of feels like this self-executing thing where you're like, okay, I can put colors on my terminal fun times. I need to figure out who would this be an issue for? Where would this be an issue? How would this be an issue? And what would be the consequences of this? Well, the weird wasn't that hard to figure out. Apparently, we had the common logger thing. Log injection would be the way to go. And who would it affect? I reckon DevOps, sysadmin, IR, forensic people, or anyone that interacts with a log file using a terminal. And we can take a quick break here. How many of you have ever catted, grept, or jqed a file that you parsed from some other software? I love you. So to do this as the scientist, we are researchers, we're professionals. Log injection when it builds is occur according to OAS, when data enters an application from an untested source. Yes. The data is written to an application or a system log file. Cool. I needed to adapt that. This is kind of written to do XSS stuff, so I figured that, okay, to successfully have this as a measurement, I needed to be able to detect new log files or events by forging a log. I needed to be able to inject the escape sequence. And I needed to somewhere for make that run in someone's terminal emulator. And I also needed that injection to execute some kind of stuff. And I figured which would be the best test bench for this? And Docker, obviously. Because it loves to send whatever logs to stand it out. It has this real log that's running through. There's actually a terminal rendering stuff. And it comes with a really nifty, getting started kind of app. Good stuff. I'll go for that. So, and also a way for you, if you want to attach or work with Docker, you would use Docker attached inside a terminal, connect to it, or Docker logs to do like a tail and see whatever happens inside your container. I'm like, mm-mm, seems tasty enough for me. But I also realized that I couldn't just take this print f thing and stuff it in a browser because, hey, shit, you can't do that. No, no, no. So I needed to URL encode it. And for good measure, we added a new line in there because everyone knows that if you're triaging some kind of bugs, new lines are very important to show that it's actually able to inject some kind of false log entries. So I figured why not see, let's see what happens if I curl this and just send that straight in. And I was really excited when I realized that, oh, nothing came back. Then I started looking at the log and over here it's like, oh, ho, nothing comes in, return in the response, but new line has been entered. The color has been rendered inside the log that's being displayed in real time, which means like on the first try, more or less, we checked all the boxes to prove it's a successful log injection because we're injecting new lines. We are enabled to run escape sequences that will be viewed in a terminal emulator, in this case Docker. And I'm able to inject commands that the terminal emulator could execute. In this case, we're changing the color. Because remember, even though that was the only line that I put in, we can create this because it's all about the limitations and creativity of whoever decides to design this. And even though I'm like, fuck yeah, confirmed, the Yieldstrang boys weren't that impressed. They wanted me to provide more impact. So I'm like, okay, I can do that. I started once again, and I stumbled upon this great research from 2003 by H.D. Moore. And it found a really, really interesting cool way to just misuse the terminal and use it against them in a way. So what happens here is that they were able to use something called OSC2 sequence where you will actually put this on a command line and that would change the title of the terminal you're in. And if you're currently like using a terminal, you're changing directories and stuff, and it just updates there inside the title that I've seen that we're connecting to shell it changes it. That is actually the sequence doing that. But that wasn't enough. They digged into the deeper parts of the whole documentation and realized that in this CSI, CSI code here, 21T, you were actually able to report back whatever was put inside the title and push that to the command line. That could only mean trouble. Because even if this stuff would be put on the command line, and in this case, you needed to have a social interaction with the user. The user needs to be fooled into pressing enter. It's still a cool way to push something in the title, read it back, and then boom, shit happens. But that's been fixed for ages. 2003, if you want to feel old, is like two decades ago. So I started searching some more and I found this really nice write-up from Evil Alive Jekyll and Aske that did some cool research on all these different web servers back in 2010 where they're using the same kind of sequence here. But we know that's been fixed, so can't do much with that. But then in 2022, Evitar Gerzi released some story for crashing the name, don't know how to pronounce it. A cool way to create a DOS sequence when they were able to read a bunch of stuff into the title and just creating crashes. And I'm just tasting buffer overflows here for the future to come. But that's been fixed, too. So here I am, feeling like an epic fail. Can't do the arbitrary command injection. That seems so cool that the person talked about in the CBE. So I did the thing. The thing at the end is the only thing you do. You reach out to the original poster and ask them, can I ask the RC park? And the answer back, I didn't write any. I used this paper as a reference. And that sucks because we know that's fixed. So here I am, super excited, but all I got is old stuff. And speaking about old stuff, this is what I looked like in the 80s. Now I'm kidding, I'm probably more like this badass here. And if you look at the angle of the arm here, that's very important because it's exactly the same angle as this gentleman here in this band poster. That's pretty fucking darn cool because he was one of the first people to sell Diab and Unix computers in Sweden. And not only that, he's my dad. So I'm very grateful to him to put stuff and give me access to computers at an early age. Thank you. But I'm starting to look at this picture. I'm starting to realize that I'm actually, maybe I'm looking more like Lars said that what's on the same tour as my dad when he met my mom. Anyway, the standard is vast and he's deep and he takes a lot of things to go through. But that wasn't enough for the fine developers and users of terminals of today. No, they wanted more. Because the oldest different terminals have different kind of functionality. And you know, with more features, we need more stuff. So they invited something called proprietary escape codes, which is a local edition of the standard. It works in certain terminals, not all of them. Some of them are being shared internally and some work over the whole bar. And what that does is gives you the opportunity to, you know, make it fun, twirl a thing, maybe in your title, get notifications and all these other cool stuff that's in there, maybe even change your background, fancy stuff. But they some thought that it was a great idea to always run some processes with arguments. Why not using escape sequences? I mean, that's a really bad idea. But luckily enough, it's just rare to find stuff that runs a really bad idea to nowadays, because it's old and it's been fixed. So I needed to find something that was like adapted by everyone. Everybody loved it and trusted and they thought it was nice that we could weaponize. Why not? Because we are tricksy hobbit sisters. And I found OSE 8. I'm not cool. If you ever run PowerShell and you mess that up, you'll get this prompt coming back, say, you suck, click this link and somebody's going to tell you how to do it. I'm like, cool. That seems doable. And the reason why that works is because you have this answer escape sequence that gives you the HTTP thing and then it has the title or whatever you want to print out and you close it off and it turns into this link inside your terminal. That's great. Initially, that was only allowed to use URI like HTTP and HTTPS. But recently, the fine people over at Windows terminal decided that we should allow file 2. That's even a great idea because what could even happen if you typed in CMD there and clicked it? I wonder. Fun things pop in inside user space. And even though this is kind of filtered in a way where you can start CMD but you can't use any parameters, I'm willing to guess that some smart person in here are going to figure out how to bypass that, put a link in in pop shells. It's definitely doable. And the fun thing with OC8 is if you don't terminate it correctly, you remember what we did with the green when it all went hulk everywhere? If we don't terminate it correctly, the rest of the output started from that injection is going to be one big link. Everything is going to be a link and if you click that, some terminals will be very nice for you and just block that out with a warning. And I'll figure that. Okay, that's cool. I wonder if I can inject this somewhere because obviously me putting links on my own shit would be boring. So what happens if I put that inside Docker? Well, everything is going to turn into one big link there too. And that one has a protection in. But it's not everywhere. This turns into a protection because the injections can be put in different places and then suddenly you can click links and you can use the manual and how fun this could be. But that wasn't enough for people because, you know, text is cool, but inline image support, that's definitely something we need in text space. So the Windows terminal people that decided to adapt the inline support for it in the recent build where you're able to do you have six cell and inline support inside the terminal. That's great. I see no problem with that. I think that great. I just wonder what's going to be inside this log file. So can I get a raise of hands when many of you wants to see what's in that log file? I love you. And it's not what you thought it would be. Shame on you. There we have OC 52, which is great. If ever use T marks or anything and back in the days, you weren't able to copy paste between shells sucked. Now you can. The reason is OC 52. And what it does is that it's take this sequence. If you have something base 64, 64 coded, it's going to put that inside user space clipboard. Super sweet. Great. I wonder what happens if we do open a something calculator app and a new line on the end because we need that new line. If you put that into CSH and paste it, this is what's going to happen. It requires the users to do something. And you press that boom. Okay, it pops calc. But if you do the same thing in bash, bash honors the new line. So if you just paste it straight in there, it fires it directly. There are room for improvement here, though. So I figured I wonder how can I test this in different spaces? I did this kind of basics for string with these commands in it and said, I'm curious what's going to happen. And I started to paste that in different places. Docker that fire directly about that was nice. These code it did it differently depending on what kind of shell you're using. And even in some cases, gave you this warning, which is super good. Of course, with your own people. Terminal app honors it runs it directly. And even inside Windows terminal, you will get even this preview of showing things that are bad. And the reason for that is that if you wanted to run this command 10 lines and do whom I Windows terminals can be nice of you to show the first lines and tell you, yeah, you got your shit going on here. So why not just add seven lines of nothing and see what happens? Well, it's nothing in there. So and we everybody knows that nobody's going to scroll down. And what happens if you add 400 lines in there? Nobody ever going to scroll down. Or you can even in this add some kind of those ULA things, then people just press okay. So with that in there, it's going to case just running it. I think that's pretty cool. It's a decent thing. So I think it's okay. So I have this sort of thing for Windows terminal getting one for bash. Let's create a polyglot and see what happens. So I figured that why not have a little bit of an SVG in there. You stop that one off with a good old hash mark at the end, do a curl command. Obviously, we want this to run locally and not fuck around on the interwebs. So and then we do a power shell kind of mix where we do seeing CMD the cost power shell and stuff because they wanted to work in whatever kind of environment you end up in. And we want to ex filtrate stuff to know what's happening. So here's hash that's important and then eventually this last one here. And code that into one big basic support thing and just send that to bad log, cat bad log and then start pasting it in places. Well, it obviously worked there. This removed all the info in the beginning. It's going to pop here too. And even if you go to the browser, you paste that in. You have some JavaScript running, which is great. Then you can just refresh it here and you'll see that, okay, it's running who am I and then different other kind of stuff in there that's just ex filtrating stuff for you inside the request. And this is just being dormant in some poor bastards clipboard by just interacting with the file. Because you can sit there and work, you catch something and then you decide to paste and boom, it's on you. It's not limited there. Obviously, you can extra tree stuff like sending things out and do reverse shells and all that. I didn't go through that in this demo. You are smart people. You know what to do. But if we're doing this, we might just want to hide our tracks or just mess things up because we can. And there's different ways to do this. You can do use everything from just moving the cursor to certain precision. You can clear the screen. You can erase stuff or clear the scroll back buffer. And to showcase this, I'm just putting like 50 lines here on the screen for you. And then we're just going to run the command and it's empty. And that's perfect to have a proof of concept of myself. But what happens if we run that inside and say this Docker instance that we send in the reset screen and just go back? Well, this is what's going to happen. It empties the log file for you. And every time you load it, all the way up to that's getting rendered, it's going to clean it anyway for you. So you need to sanitize and clean that out. Fun. And that is somewhat annoying. Before anyone that's using that that's really annoying. But it's not annoying enough. We need to do some brick stuff to really be annoying. And why not use the standard? Like we have this print screen functionality. We gave us the opportunity if we're typing that one in it will send in the printer prompt for you. Imagine getting that every minute or so. It can be annoying. But you can also do this cool thing. If you instead of doing the zero I, you can do five I because back in the days we used to have a matrix printer next to our computers that are like having a paper copy of said log. We don't have those anymore. So we can just send anything out to this buffer that doesn't exist, which means as you can see here, if you send it in all the commands, it's going to send it into Ruby and it's still going to render. But you can't see shit. So that's really annoying. And it's the only way to get rid of that is to close the browser. But it's not annoying enough. No, we need to be really annoying. And one way to do that is to use the mouse tracking functionality. It was great if you ever like install some kind of, I don't know, slackware or something or whatever. And you're in that CLI mode and you suddenly realize my mouse works and I can click on stuff. That's cool. That is the reason because somebody's tracking what kind of where your mouse are in that state. And if you run that on the terminal and move your mouse around, it's going to report all this stuff all the time. And if you click it's going to execute whatever kind of happened there. And what's really interesting when this doing this is that imagine you sneak this mother shit in there and somebody clicks stuff and then boop, boop, boop, boop, it's going to pop it. And if you combine those, you see where I'm going, a bunch of shames here. You can just combine those things together and just create a lot of interesting stuff. But let's stumble upon this one here. It looks so sweet. And it's perfect. Repeat the the preceding graphic character X amount of times. And that is perfect. You want to measure like how big the terminal screen are. And so in this case, let's see that we wanted to repeat this 10 times. It's going to do it 10 times for us in the output of the terminal. But one simply wonders. A billion times is a lot of fucking piece. And since this is not a single character, this is unicode. You get five characters for the price of one. And my recommendation to you is to do not run this in prod. Things will break. I can't open this Docker container again without it crashing. And when it crashes, it kills Docker desktops. I need to start it all over again. That can be somewhat annoying. Thank you. So it breaks most terminal. And some terminals, even like the one I have on my phone here, it crashes that one. So it's just a, once again, I'm starting to think, OK, that's cool. I wonder what happens. What can I do to weaponize this? Maybe if I put it in my service signature on a host and then request a let's encrypt certificate, I wonder if the bots will come running. I'm betting you, there's a bunch of fucking automation scripts that's going to scrape and look for version one running that's going to get dust out whenever somebody decides to look at that entry. Real fun. OK, you've got a Christian, scary looking kid. No RC. No, no. I know. I wasn't able to do any kind of arbitrary command addiction. Sucks. I got malicious stuff and not really bad stuff. So these were dark times in the middle of my research. The light came in the shape of David Leadbeater. And he's amazing fucking talks. Sorry, part of my French. At Blue Hat 23, called Houdini the Terminal, where he doesn't provide just one. No, he brings on six remote code executions in terminals that are live today. I'm like, mm, tasty. David, no stuff. And he's doing that, but I'll use kind of the same thing that H.D. Moore back in the days with this CRLF injection. But he's using something called Device Control Request String. I'm not going to try to pronounce that. Dekrush. If you want to check out his G3po, he's really, really good. He's got a lot of cool stuff there. And he's speaking tomorrow here. So please go visit that talk. I sure am going to be there. And the Yield Sunboys is definitely going to be there because he's going to release some banger stuff, and you don't want to miss that. So this is all David's work, but I'm going to show it now because, hey, why not? So I figured that he had this thing provided. I needed to put that in a way that I could infiltrate other. So I basic for the string here. More or less, this is kind of what it does. It sends in a bunch of control sequences and stuff. I'm not going to bore you with that, but more or less, what does it ask you? What kind of color you have on the screen. But we're feeding that with other stuff instead and then adding new lines and voila, about fun stuff. So if you're using version of 3.17 of iterm, which is not the newest one. It's been patched now. And you're interacting with the logs using this docker. What's going to happen if I paste that inside your terminal and you're running that live tail? I'm going to pop calc for you. Why not? Super simple way to just make sure that things break. So update your items, people, if you're playing around with that. And the reason why this is working, and I love this, is simply because what David figured out is that he could sneak in X03 here, which is control C kind of thing, or control X. So you're escaping out of whatever thing that's running. And imagine what happens if you're trying to escape out of a docker attached sequence. It's going to shut down the docker. And after that, we're adding whatever command that we want to run. And then simply, we're going back again and tells the system, could you please report back for us whatever kind of color that we're running? But we already tainted that with other stuff. So it's just going to boom, which is great. And for me, David was this kind of Mike Metzger moment for me when he did that stuff. Because what Mike did for the motor cross circuit was that just before he did the first backflip in competition, it was like rumors and shit. And nobody thought it would even remotely possible. But as soon as he did that, today, if you're not doing like a double flip, can-can woo-hoo, fucking dang, you suck. So that was kind of the opener. So I started to look at this OSC 5113, which I thought was like, hm, Kitty has this proprietary escape code. I wonder what that does. And what I figure out real fast is that test here reflects back in the flow. So I'm starting to think, what happens if we add a new line and open a bit of calculator there and send that away? Well, let's see what happens. What's going to happen first is it's going to give you a request. Are you really sure you want to do this? You say, no, but you got a calculator. Because he's adding new line and he's honoring them. Time is running out. Thanks, babe. The other one here, and I know you said, yeah, but you pressed no. What happens if you press yes? Well, if you get out, it's the same. No escaping here. Yields time, boys. Fuck yeah. I thought that was sweet. So now I'm getting hyped, and I'm all happy about it. Then this shows the whole proof of concept. Is it actually possible to execute commands in the victim terminal? And the short answer to this is yes. But whose fault is it? This conversation has been going on for like the last 10, 20 years, because every 10 years or so, somebody's going to poke around at this stuff. And they say, and the terminal developer's going to say, it is the developer's fault. They need to do their shit. The app people say, no, it's the terminal people. They need to stop using escape sequences at all. It's a terrible idea. But we all use them all the time. And then this is the third part. It's these super angry old developers are sitting in the back. I see you. That thinks that everyone with a brain knows that you can't just cut a file or click on an email link. But that's simply not true, because we are a cybersecurity professional, some more malicious ones. And we need to protect our users, especially our shell users, because they are also our privileged users using these systems on a daily basis. And they should be able to grep cat, or JQ, whatever shit that's running inside the terminal without any issues, especially if the downloading files from a third party took care of them. And the only way to do that is that we need to sanitize our input and escape our output. And if we don't do that, it's going to be consequences. And I think that we're kind of cool. What happens if I took this web page and stuck a bunch of different kind of escape sequences in there and see what happens? So I created this evil.terminalinjection.com site. So if you curl that inside your terminal, any of them, you can see what happens. It's not going to do anything bad stuff for you. It's going to pop a calc if you're vulnerable, but I'm not exfiltrating your data. You can just right click the source and see what's in there. It's cool. And if you run that on some systems, it's going to be all right on other systems. When you do it, it's not going to be as such a right. So it's kind of trusted things, but they would break stuff. So if we're doing black box testing on this, the whole game, if you hunt it for bugs, it's going to 400 or 500 errors. Because 200 errors usually ends up in access logs, and those are well sanitized and nice and all. So the easiest way to do this to break stuff is to take whatever kind of thing you have here. This is an API JSON request. You have a key and some value stuff. You just append shit on the end and see what happens. Sometimes it will break, and you will get some information coming back. And if it does contain something like unescape stuff, because this one here is a big chance that it actually ended up in the error log, this one here, though, is properly escaped. So it's a good job on the devs. But yeah. But sometimes you put that stuff in, and it's going to sanitize with a backslash. So why not put some invisible characters and hex in there? The result is going to be really interesting, because then it might just render anyway. Because you're bypassing the whole backslash scenario. OK, this is very prone to false positives. So sometimes the developers are really good at just filtering the kind of output counts out. They're stripping the error message. And they're even not displaying any data. We saw that in the beginning. It was an error, but nothing happened. But it smashed the log. Boom. So even though you need to take that into consideration, and even though if you see like 400 errors, they're rarely logged. So 500 errors is what you're going to be looking for. But this seems to be everywhere. Everywhere I looked, it just pops and scrambles. And before you create this nuclear template and go all burr all over the internet, hoping that it's going to end up with somebody's log somewhere, to verify this, you will need to have access to the access logs. And just dig into that, because otherwise it will be false positive. Because if I wrote the logging system and I didn't log in the output, you can say that it renders, but it's not. So time's running out. Let's recap real fast on this. People forget. The old is the new new. There's way more things that's going to come in this area. I hope you are intrigued now to start poking in this. And let's create a community around this to see whatever fun stuff we can do. And it's like everywhere. Like I told you, I created this nuclear template. And when I ran it, it rendered in there. That can be problematic. So if something's like meh today, it can't easily turn into, oh crap. But by tomorrow, if somebody decides to put a bunch of creativity in it, that means your log files, do you still trust them? I'm at Stöckfried, all social media. Thank you for attending my talk.