Misconfigured CDN Cache Poisoning via X-Amz-Server-Side-Encryption Header
ID: cdn-cache-poisoning
Severity: unknown
Author: 0xcharan
Tags: cache,aws,poisoning,cdn,misconfig
Description
Section titled “Description”When the X-Amz-Server-Side-Encryption header is sent with user controlled value, it can lead to a misconfigured CDN cache response with a 400 status code, making the page inaccessible.
YAML Source
Section titled “YAML Source”id: cdn-cache-poisoning
info: name: Misconfigured CDN Cache Poisoning via X-Amz-Server-Side-Encryption Header author: 0xcharan severity: unknown description: | When the X-Amz-Server-Side-Encryption header is sent with user controlled value, it can lead to a misconfigured CDN cache response with a 400 status code, making the page inaccessible. reference: - https://portswigger.net/web-security/web-cache-poisoning metadata: verified: true max-request: 2 shodan-query: X-Amz-Server-Side-Encryption tags: cache,aws,poisoning,cdn,misconfigvariables: string: "{{to_lower(rand_base(8))}}={{to_lower(rand_base(8))}}"
http: - raw: - | GET /?{{string}} HTTP/1.1 Host: {{Hostname}} X-Amz-Server-Side-Encryption: {{randstr}}
- | GET /?{{string}} HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - 'contains(body_2, "{{randstr}}")' - 'status_code_2==400' condition: and# digest: 4a0a0047304502203a67ffa44993964079a182bcd558ce1a04b26f229bef1e667b7ed3e846465d490221009569c1170ba8bb03588e36fbe85e19d27a89ada68a82c5731e745b9de88e4633:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/misconfiguration/aws/cdn-cache-poisoning.yaml"