Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author was reviewing a website when they found two separate issues: a cache decption issue and a client-side path traversal (CSPT) bug. Separately, they were useless. Together, they created an account takeover.

Web cache deception is getting data to be cached that shouldn't be cached via crafted links. While reviewing the application, they appended .css to an endpoint that returned an authentication token. Unfortunately, this API had to include the X-Auth-Token header, which wouldn't be automatically added to the request. This is issue number 1.

They were reviewing client-side code and noticed that a URL parameter was being included directly into part of a path to make an API request. Using a malicious API parameter, the ../ can be used to make the client-side execute an arbitrary API call that is authenticated. They weren't able to do anything useful with this by itself.

Now, let's combine the bugs! Use the CSPT to make an authenticated API request with .css at the end of it. This would cache the API token! The exploit is just the user clicking on the following link: https://example.com/user?id=../../../v1/token.css.

This is a super neat chain of bugs. CSPT and web cache deception have always felt like black magic to me.