Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cache poisoning vulnerabilities are typically complicated and hard to come by. This author found a load of them and put them together in a single post.

The first issue is a problem with a load balancer. While checking for gathered emails, the author noticed a JavaScript file that contained an email that was not theirs - but had no idea why. After some testing, they noticed this only happened when a particular cookie was removed. It's like the load balancer was caching the file per user but sent back the most recent one if the request didn't have the cookie. This issue was used to salvage a large list of emails from the site.

Another load balancer issue was the result of a shallow copy vs. a deep copy. It turned out that once per hour that a caching bug occurred that led to an email leakage. Weird!

The final bug started off as hunting for XSSI issues. One of the JavaScript files was constantly changing information in it. This file contained authorization information for each user. What could go wrong with this?

The author deleted all of their cookies of the request still went through! But how? The URL had several other parameters, such as the location and other things, but they weren't random. It turned out that the CDN was caching these JS files! By brute forcing the loc parameter, it became possible for an attacker to steal auth information. Pretty neat!

A few things to look out from this:

• Are emails or IDs what you expect them to be?
• Test out how the caching is being done. Remove parameters, cookies and other things.
• Is the JavaScript dynamic? Seems to cause lots of problems if it is.