How I Made +$16,500 Hacking CDN Caching Servers — Part 3
2022-2-3 00:31:3 Author: infosecwriteups.com(查看原文) 阅读量:45 收藏

@bxmbn

Kevin

Bounty: 3,000

I didn’t know this was a thing, until i saw @iustinBB ’s a blog about their research on Cache Poisoning Cache Poisoning at Scale

Sending the x-forwarded-scheme: http header would result  into a 301 redirect to the same location. If the response was cached by a CDN, it would cause a redirect loop, inherently denying access to the  file.

I quickly remembered a Private Program’s asset that was using caching servers and using Ruby on Rails

Request:

GET /?xxx HTTP/2 
Host: Redacted
X-Forwarded-Scheme: http
...

If you will test this, you should always use “cache busters” (?anything=x) in this case, i used (?xxx) so i don’t mistakenly poisoned other users.

Response:

HTTP/2 301 Moved Permanently 
Date: Wed, 19 Jan 2022 17:16:13 GMT
Content-Type: text/html
Location: Redacted
Via: 1.1 vegur
Cf-Cache-Status: HIT
Age: 3

If an attacker timed the cache server and poison https://redacted/

The user’s response when requesting https://redacted/ will be

HTTP/2 301 Moved Permanently
Cf-Cache-Status: HIT

They won’t be able to access https://redacted/ as the attacker saved the 301 redirect and would not load, until the cache refreshes.

Reported → January 19, 2022

Pending Program Review → January 25, 2022

Triaged → January 25, 2022

Bounty Awarded → January 26, 2022

The total $ for these 3 Reports was $11,300

I chose only these 3 reports because they were the most awarded ones.

I applied the same methodology on other programs, this includes Cache Deception issues like #1343086

Making a total of $16,400 on HackerOne and $1,100 on BugCrowd

Thanks for Reading!

Make sure to follow me on Twitter ;)

@bxmbn


文章来源: https://infosecwriteups.com/how-i-made-16-500-hacking-cdn-caching-servers-part-3-91f9d836e046?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh