nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Multiple issues with cache-poisoning-fuzz

Open cyberfreaq opened this issue 2 years ago • 0 comments

Issue 1: Incorrect payloads

As far is I understand the template should send two identical requests except the second request should be sent without the additional header like so:

GET /?7686059f5e627052cfcc5be475cf4ca2=1 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
aacomtr_Gzip: 7686059f5e627052cfcc5be475cf4ca2.tld
Accept-Encoding: gzip

GET /?7686059f5e627052cfcc5be475cf4ca2=1 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Accept-Encoding: gzip

However, the template is generating a unique id for every insertion point which results in the following requests:

GET /?7686059f5e627052cfcc5be475cf4ca2=1 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
Connection: close
aacomtr_Gzip: 1b86a1c9b8eb942077bb997a4467f3a1.tld
Accept-Encoding: gzip

GET /?741a331c4f3fa46631a3aae735b58f4b=1 HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Accept-Encoding: gzip

Issue 2: Malformed header

The plugin author references the following blogpost: https://youst.in/posts/cache-poisoning-at-scale/ The blog author states:

"Sending a header containing an illegal character, \ would cause a cacheable 400 Bad Request error. This was one of the most commonly identified patterns throughout my testing."

However, nuclei throws an error when a backslash character is used as header name, but ONLY when the first response matches:

[WRN] [cache-poisoning-fuzz] Could not execute request for https://site.com: net/http: invalid header field name "\\"

In order to test this I changed the dsl-matcher to contains(body_2, "<html>")' so that every response would match.

cyberfreaq avatar Aug 10 '22 12:08 cyberfreaq