Denial Of Service via Cache Poisoning - It’s ToxiC

Summary :

Denial Of Service :

Denial-of-Service (DoS) is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users of the service or resource they expected.

Cache Poisoning :

Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

The cache key only includes the highlighted values, so anyone who subsequently tried to access that URL would get a cache hit and receive the This site can’t be reached response with an error “ERR_UNSAFE_PORT”.

This vulnerability can be exploited in many variations for eg. : using X-Forwarded-Port, X-Forwarded-SSL, Transfer-Encoding etc.

1. X-Forwarded-Port :

X-Forwarded-Port header could be used to persistently poison a redirect with an invalid port, causing a timeout for everyone trying to access the website.

2. X-Forwarded-SSL :

On some websites you can use X-Forwarded-SSL header to overwrite certain pages with a response saying ‘Contradictory scheme headers’.

3. Transfer-Encoding :

You could break core functionality by using an invalid Transfer-Encoding header which will give you the message ‘501 Not Implemented’ and can also overwrite arbitrary pages using Transfer-Encoding.

How to find this vulnerability ?

  1. Go to your terminal and type this command

Command : curl -H ‘X-Forwarded-Port: 123’ https://www.website.com/?toxic=888

X-Forwarded-Port

2. Then try to load https://www.website.com/?toxic=888 in your browser

Cached Page

3. You can also use X-Forwarded-Host header:
curl -H ‘X-Forwarded-Host: www.website.com:123' https://www.website.com/?toxic=888

X-Forwarded-Host

How to find this vulnerability using Transfer-Encoding header ?

  1. Go to target website and intercept the request using burp suite
  2. Send the request to repeater and add the header zTRANSFER-ENCODING: dgsht
Transfer-Encoding

3. Click on go and check the response, if it is vulnerable then it will show you an error of 501 ‘NOT_IMPLEMENTED’

501 Not Implemented

Impact : An attacker can persistently block access to any redirects on your target website.

Thank You :)

Instagram : jerry._.3

Happy Hacking ;)

--

--

--

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Solarwinds Sunburst Saga

Microsoft ‘s Explanation of the attack

{UPDATE} Chinese Chess Hack Free Resources Generator

Bitlevex Airdrop : 400,000 BLEX & $50,000

{UPDATE} Switch Risky Color Floors Hack Free Resources Generator

UniLend to Launch on Binance Smart Chain: Unlocking the True Potential of DeFi on BSC

this video is very educative, I love the way he breakdowns everything from the tokenomics, to the…

Digital Banking Report: Data Security Concerns Keep Nearly Half of US Consumers From Switching to…

UENC Project Weekly Report #90 (November 22, 2021 — November 27, 2021)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jerry Shah (Jerry)

Jerry Shah (Jerry)

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

More from Medium

XSS - The LocalStorage Robbery

Jet Protocol Upgrade Bug Patch Disclosure

HOW I AM ABLE TO CRASH ANYONE’S MOZILLA FIREFOX BROWSER BY SENDING AN EMAIL

Open Redirect via Sendgrid Email Misconfiguration