Cache Poisoning at Scale by Youstin Even though Web Cache | PT SWARM
Cache Poisoning at Scale
by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
Contents: • Backstory • Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577) • GitHub CP-DoS • GitLab CP-DoS • X-Forwarded-Scheme - Rack Middleware • CP-DoS on Hackerone.com static files • Single request DoS of www.shopify.com • Stored XSS on 21 subdomains • Cloudflare and Storage Buckets • S3 Bucket • Azure Storage • Fastly Host header injection • Injecting Keyed Parameters • User Agent Rules • Illegal Header Fields • Finding New Headers • Common headers • Conclusion
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...
