2021-12-23 12:12:11
Cache Poisoning at Scale by Youstin
Even though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.
Contents:
• Backstory
• Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)
• GitHub CP-DoS
• GitLab CP-DoS
• X-Forwarded-Scheme - Rack Middleware
• CP-DoS on Hackerone.com static files
• Single request DoS of www.shopify.com
• Stored XSS on 21 subdomains
• Cloudflare and Storage Buckets
• S3 Bucket
• Azure Storage
• Fastly Host header injection
• Injecting Keyed Parameters
• User Agent Rules
• Illegal Header Fields
• Finding New Headers
• Common headers
• Conclusion
https://youst.in/posts/cache-poisoning-at-scale/
519 views09:12