Sign up to save your podcasts
Or
Share Combining web cache poisoning vulnerabilities
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Combining web cache poisoning vulnerabilities
Poisoning a cache with multiple malicious responses simultaneously. The website is vulnerable to DOM-XSS due to the way the initTranslations() function handles data from the JSON file for all languages except English, and the home page sometimes uses backslashes as a folder separator. The server normalises these to forward slashes using a redirect. As a result, setting a language request with backward slash that redirects to the proper language path in a 302 response is cacheable and can be used to force other users to the another language version of the home page.
These two exploits are combined in a request importing a malicious JSON file in which a language setting is attacked from an exploit server. And while the cache is still poisoned, the home page is poisoned forcing all users to the page with that language.
View all episodes
By Poisoning a cache with multiple malicious responses simultaneously. The website is vulnerable to DOM-XSS due to the way the initTranslations() function handles data from the JSON file for all languages except English, and the home page sometimes uses backslashes as a folder separator. The server normalises these to forward slashes using a redirect. As a result, setting a language request with backward slash that redirects to the proper language path in a 302 response is cacheable and can be used to force other users to the another language version of the home page.
These two exploits are combined in a request importing a malicious JSON file in which a language setting is attacked from an exploit server. And while the cache is still poisoned, the home page is poisoned forcing all users to the page with that language.