OWOX, Inc.: Server-side cache poisoning leads to the http://my.dev.owox.com inaccessibility

2017-11-16T21:14:26
ID H1:291012
Type hackerone
Reporter sp1d3rs
Modified 2017-11-23T14:58:37

Description

By using single specially crafted URL, it was possible to cause service inaccessibility for all users who will visit the site, as result of infinite redirect loop. I discovered an issue, when by using single specially crafted URL, it was possible to cause service inaccessibility for all users who will visit the site, as result of infinite redirect loop. I named it as cache poisoning in the report title, but honestly i have no idea what caused this behavior:) It could be cache or proxy bug. To ensure that problem exists, and site inaccessible not only for me, i checked it from the different IP addresses/proxies/Tor. Issue was discovered occasionally, upon checking for Open Redirects and was reported in a few minutes after discovery. Severity was set accordingly to CVSS3.

POC

1) Visit next link: http://my.dev.owox.com//www.google.com/%2e%2e%2f 2) my.dev.owox.com will become inaccessible to the all users with next response: HTTP/1.1 301 Moved Permanently Server: nginx Date: Thu, 16 Nov 2017 21:05:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Location: http://my.dev.owox.com//www.google.com/%2e%2e%2f/ X-Frame-Options: SAMEORIGIN and will go to the constant redirect loop for the any user who will visit the site.

The OWOX team fixed the issue very fast, i even thought that it was a false-positive (cuz i couldn't reproduce issue after 1hr), and self-closed the report:) Thanks to the team for the fast fix and great experience!