3 Easy cash via cache

بسم الله الرحمن الرحيم

Don’t forget to pray for people in Gaza and Sudan 🤲🏻❤️

Hello everybody, Today I will talk about 3 cache bugs in 3 different BBP which lead to 3 bounties 💵

First of all if you don’t know what is cache deception attack i hope you read this article before reading this writeup: https://www.linkedin.com/pulse/cache-deception-attacks-pentesters-secret-weapon-how-defend-bise--f4p2e/

First bug:

It was on one of Bugcrowd public BBP, There was a subdomain which is subdomain.target.com which have another type of user role registration

So here what i did :

1- Create an account

2- Notice that https://subdomain.target.com/gb/account/ endpoint have an object called window.current_user which retrieve user sensitive info like user_id, email, phone, etc

3- See the header Cf-cache-status: Dynamic which means that Cloudflare did not consider the URL to be eligible for caching

4- Try add /test.css so https://subdomain.target.com/gb/account/test.css and notice that you got “Page not found” page not found but the Cf-cache-status changed from DYNAMIC to MISS

5- Don’t assume that there is no bug, look at the “Page not found” page source code and notice that window.current_user object still exist and have all user info

6- Open the url https://subdomain.target.com/gb/account/test.css from different browser and make sure that the data still exist

So I reported the bug and the severity was P3

Second Bug:

It was public BBP in Hackenproof and like any website in Hackenproof it was Web3 website

1- Create an account

2- Notice and endpoint https://www.target.com/-/x/us/us/open/user/get which is an API endpoint retrieve all user info and notice Cf-cache-status: DYNAMIC

3- Try https://www.target.com/-/x/us/us/open/user/get/test.css and notice that Cf-cache-status changed from DYNAMIC to MISS but you got 404 page which not leak any sensitive data

4- Try https://www.target.com/-/x/us/us/open/user/get;test.css and noticed the response include all user info and also include Cf-cache-status: MISS which when i sent the request again it changed form MISS to HIT which mean the response returned by the cache server not the origin server

“What happend here is something called path confusion this is when the server treat the ; as parameter like they treat ? so the server return the response for the /get endpoint and don’t care about ;test.css, But the cache server treat /get;test.css as a static css file so it cache the content”

5- Open https://www.target.com/-/x/us/us/open/user/get;test.css in different browser and make sure that the data still exist

6- Also the same bug was effecting another subdomain which is https://global.target.com

I reported the bug and the severity was Medium(6.9)

Third bug:

Someone on Facebook told me that he have a private program web3 website that cache every request but not cache any request under /_api/* and he asked me if can get a cache deception bug

Note: For this bug I don’t have an image of the bounty cause that guy didn’t share the bounty with me he just told me it is accepted as P3 then he give me 35$ and then unfriend me on Facebook without any reason 🤣

1- Create an account

2- Notice that the website returned every response with Cf-Cache-Status: HIT but any that endpoint which return user data /_api/ucenter/user-info return Cf-Cache-Status: DYNAMIC

3- Try this /any-cached-endpoint%2F../_api/ucenter/user-info and notice that you got the content of /_api/ucenter/user-info but with Cf-Cache-Status: MISS which when sent it again it changed to Cf-Cache-Status: HIT

What happend here is the server are decode the url which https://target.com/any-cached-endpoint%2F../_api/ucenter/user-info and perform the sequence traversal and return the content of https://target.com/_api/ucenter/user-info but the cache deal with the url as if /_api/ucenter/user-info is under /any-cached-endpoint/ and cache it

4- Open the url in different browser to make sure the data still exist

Then the guy report the bug and get the bounty