How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning
Updated: Apr 22
Hey everyone, Welcome to my first blog post, I hope you'll find it informative.
Web cache poisoning is an advanced technique whereby an attacker exploits the behaviour of a web server and cache so that a harmful HTTP response is served to other users.
A poisoned web cache can potentially be a devastating means of distributing numerous different dangerous attacks, exploiting vulnerabilities such as JavaScript injection, open redirection, XSS (in my case) and so on.
I am new to Bug hunting so I like to participate in Responsible disclosures because there is less competition and a lot to learn.
I was testing an online store company lets say it onlinestore.com started with content discovery did'nt find anything juicy in the primary domain, tried for subdomain enumeration and found a few interesting subdomains with the help of this code
> subfinder -d onlinestore.com | httpx -title -status-code
The subdomain looked suspicious because it was only for the staffs of onlinestore.com so I thought lets give it a try.
Then I did some subdomain discovery and found Admin login Panel.
I tried some SQLi Payloads but got no success. As there was no reCaptcha in the login page so I decided to check for No Rate Limiting and It was vulnerable
Then I started playing with the requests and I found adding an extra HOST header in the request was getting reflected in the response's source.
I read Tampering of Host header can lead to web cache poisoning attack and then further we can exploit it to XSS and more severe attacks, so I started looking for the right request where I apply this.
After some tries,
When I was trying to escape the external Host response's reflection I found that adding an arbitrary values in one of the cookie parameter was also getting reflected in the response, I tried injecting some command injection,sqli payloads but it was only a cookie pollution caused by improper validation in the backend .
Then I tried tampering parameter with some values as a POST request with some content and found that It got saved in the caching server and and the page was blank
I added some text "Hello" and gave the parameter different value opened the page and yes It was getting reflected.
Then again instead of Hello I tried adding these two javascripts one by one
javascript:alert(1) and <script>alert(1)</script>but the payload did'nt get executed there was just the reflection of the text.
I was confused what's happening then I looked at the request and saw the header Accept: text/html so I thought maybe If a text along with script would work and tried
Hello<script>alert(document.cookie)</script>and guess what?
I was surprised how this worked I mean when I used only the payload that didnt get executed but with a string i was able to hit the payload.
Reported the vulnerability, and got a reply back from the team, So by this i was able to get my first Hall of Fame recognition in 2021.
I hope you find it useful, Thank you and happy hunting.
1,744 views0 comments