{"vulnerability": "CVE-2021-27577", "sightings": [{"uuid": "93adc9c1-1322-4f5e-9ebf-204236a61fe4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-27577", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/98", "content": "Cache Poisoning at Scale\n\n\ud83d\udc64 by Youstin\n\nEven though Web Cache Poisoning has been around for years, the increasing complexity in technology stacks constantly introduces unexpected behaviour which can be abused to achieve novel cache poisoning attacks. In this paper author will present the techniques that he used to report over 70 cache poisoning vulnerabilities to various Bug Bounty programs.\n\n\n\ud83d\udcdd Contents: \n\u2022 Backstory\n\u2022 Incorrect Handling of the URL Fragment in Apache Traffic Server (CVE-2021-27577)\n\u2022 GitHub CP-DoS\n\u2022 GitLab CP-DoS\n\u2022 X-Forwarded-Scheme - Rack Middleware\n\u2022  CP-DoS on Hackerone.com static files\n\u2022  Single request DoS of www.shopify.com\n\u2022  Stored XSS on 21 subdomains\n\u2022 Cloudflare and Storage Buckets\n\u2022  S3 Bucket\n\u2022  Azure Storage\n\u2022 Fastly Host header injection\n\u2022 Injecting Keyed Parameters\n\u2022 User Agent Rules\n\u2022 Illegal Header Fields\n\u2022 Finding New Headers\n\u2022 Common headers\n\u2022 Conclusion\n\nhttps://youst.in/posts/cache-poisoning-at-scale/", "creation_timestamp": "2021-12-23T09:12:11.000000Z"}]}