New Cache Poisoning Attack Lets Attackers Target CDN Protected Sites

A team of German cybersecurity researchers has discovered a new cache poisoning attack against web caching systems that could be used by an attacker to force a targeted website into delivering error pages to most of its visitors instead of legitimate content or resources. The issue could affect...

Magecart skimmers found on Amazon CloudFront CDN

Update 06-08-2019: The compromises of Amazon S3 buckets continue and some large sites are being affected. Our crawler spotted a malicious injection that loads a skimmer for the Washington Wizards page on the official NBA.com website. The skimmer was inserted in this JavaScript library:...

WAFW00F v1.0.0 - Detect All The Web Application Firewall!

WAFW00F identifies and fingerprints Web Application Firewall WAF products. How does it work? To do its magic, WAFW00F does the following: Sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of potentially...

Ping Identity: Internal Hostname disclosure from multiple Apache servers via blank host header method

This vulnerability was due to a general misconfiguration of Apache servers; this is a good example of the importance of "Secure Defaults" in open-source projects. An example of a generic request and response would be: openssl sclient -connect apache.example.com:443 GET apache.example.com/foo...

d31bfnnwekbny6.cloudfront.net XSS vulnerability

Open Bug Bounty ID: OBB-690906 Description| Value ---|--- Affected Website:| d31bfnnwekbny6.cloudfront.net Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3...

CLI for Ephemeral Penetration Testing: hideNsneak

This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls. hideNsneak provides a simple...

Aws_Public_Ips - Fetch All Public IP Addresses Tied To Your AWS Account

awspublicips is a tool to fetch all public IP addresses both IPv4/IPv6 associated with an AWS account. It can be used as a library and as a CLI, and supports the following AWS services all with both Classic & VPC flavors: APIGateway CloudFront EC2 and as a result: ECS, EKS, Beanstalk, Fargate,...

Grab: Subdomain Takeover Via Insecure CloudFront Distribution cdn.grab.com

Good day, I truly hope it treats you awesomely on your side of the screen : I have found that your website cdn.grab.com is pointed via a cname to a cloudfront instance cdn.grab.com = .cloudfront.net This was not registered on Amazon Aws Cloudfront. I was able to take over the domain: See my POC P...

CloudFrunt - A Tool For Identifying Misconfigured CloudFront Domains

CloudFrunt is a tool for identifying misconfigured CloudFront domains. Background CloudFront is a Content Delivery Network CDN provided by Amazon Web Services AWS. CloudFront users create "distributions" that serve content from specific sources an S3 bucket, for example. Each CloudFront...

Identify Misconfigured CloudFront Domains: CloudFrunt

CloudFrunt is a tool for identifying misconfigured CloudFront domains. CloudFront is a Content Delivery Network CDN provided by Amazon Web Services AWS. CloudFront users create “distributions” that serve content from specific sources an S3 bucket, for example. Each CloudFront distribution has a...

Greenhouse.io: DoS through cache poisoning using invalid HTTP parameters

I was taking a look into a related report https://hackerone.com/reports/298265 and I discovered that the https://boards.greenhouse.io/embed/jobboard/js?for= endpoint doesn't throw errors when I try to pass in an array of for parameters like this:...

GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS

Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...

GSA Bounty: Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS

An attacker can deface various pages on catalog.data.gov, leading to them executing malicious JavaScript when visited by a normal user. The root problem is that the server trusts the X-Forwarded-Host HTTP header, and uses this to populate the 'data-site-root' and 'data-locale-root' attributes on...

Trello: Subdomain Takeover Possible [N/A]

Hello , Team Trello Security Today == 04/11/2017 , 03:52 , I Discovred A Issue in Your Website , i found this error In : http://d2k1ftgv7pobq7.cloudfront.net/ ======================================================= ERROR The request could not be satisfied. Bad request. Generated by cloudfront...

subjack - Hostile Subdomain Takeover tool written in Go

subjack is a Hostile Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. With Go's speed and efficiency, this tool really stands out when it comes to mass-testing. Always double check the results manually to rule...

d2qsy1h1438jt3.cloudfront.net Open Redirect vulnerability

Vulnerable URL: http://d2qsy1h1438jt3.cloudfront.net/redirect.ashx?url=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgvT1BFTkJVR0JPVU5UWS8pPC9zY3JpcHQ%2B Details: Description| Value ---|--- Patched:| Verification in progress Latest check for patch:| 03.01.2018 Vulnerability type:| Open Redirect...

Razer US: 2 Subdomain takeovers

Two domains no longer in use under .razerzone.com were left pointing to Cloudfront servers that were no longer active. The DNS entries were cleared. We appreciate the report and look forward to working with the researcher in the future...

How to Protect AWS API Gateway with SecureSphere WAF

Serverless architectures are becoming more and more popular, and Amazon’s API Gateway service is a key factor in many serverless deployments on AWS. Currently API Gateway only supports a public CloudFront endpoint, and securing the API Gateway with high-end WAF protection may seem like a difficul...

cloudfront.mediamatters.org XSS vulnerability

Vulnerable URL: https://cloudfront.mediamatters.org/static/flash/mediaplayer.swf?file=http://content.bitsontherun.com/videos/bkaovAYt-364766.flv=falseℑ=http://appsec.ws/ExploitDB/cMon.jpg=true=javascript:confirm/openbugbounty/;//=blank&.swf Details: Description| Value ---|--- Patched:| No Latest...

Ubiquiti Inc.: Subdomain takeover on https://cloudfront.ubnt.com/ due to non-used CloudFront DNS entry

So lately I have discovered that CloudFront is not validating which user that connects a CNAME:d domain to a CloudFront Origin. This means that if I could find a domain that is still pointing to CloudFront, without being connected to any Origin as a Custom CNAME, I can actually claim the domain...