Web cache deception in Valve


Last night I was hunting bugs in Valve bug bounty program, and I came across an interesting bug, called 'web cache deception attack'.

For knowing what this attack is, please visit https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf.

So I visited the site partner.steamgames.com and saw it had a login functionality.
I logged in, while running dirsearch in the background. I couldn't find any interesting bugs right there, but looking at my dirsearch results, I saw that two of the results returned the exact same result, namely:

partner.steamgames.com/documentation and partner.steamgames.com/documentation/config.yml

Now I had read about web cache deception a few days ago, and it struck me. So I go to a page with user info like partner.steamgames.com/home and then partner.steamgames.com/home/tmh.css. Both returned the same result! So all conditions for WCD attack are fulfilled.

Next I open up a private window, and visit partner.steamgames.com/home/tmh.css, and voila :)

Now all I have to do is get the victim to visit a page displaying sensitive info with a malformed URL, and then I can access it. Also, any web sites sitting behind the same reverse proxy will be affected by this bug.

Bounty? 750$ + 150$

Always keep reading everything and every white paper you come across on the internet.


Popular Posts