How i hacked all Zendesk sites 265,000 site by one line
Hi Everyone!
السلام عليكم ورحمة الله وبركاته
I’m Ahmed Salah Abdalhfaz (Elsfa7–110)
I will talk about the bug I discovered in several recent sites (from 1 year)
As you can see in my bugcrowd profile, several people asked me about these reports
Let’s explain
This bug was in all Zendesk products
As you know, this service is used by more than 265,000 sites
and works by Ruby on Rails
and i know Ruby on Rails applications are often deployed alongside the Rack middleware. The Rack code below takes the value of the x-forwarded-scheme value and uses it as the scheme of the request.(https://youst.in/posts/cache-poisoning-at-scale/)
Sending the x-forwarded-scheme: http header would result into a 301 redirect to the same location. If the response was cached by a CDN, it would cause a redirect loop
This is what happened with Zendesk products
And of course I sent the reports to most of the companies first (etsy,Indeed,Moneytree KK,Quizlet,Skyscanner,Backblaze,SEEK,Acorns Grow, Inc., and a lot of prv programs)
Finally, I spoke to Zendesk and they closed the vulnerability completely
How does this cache poisoning affect other users of the application?
When poisoning cloudflare caches you have to look at the CF-RAY header. Not all worldwide users connect to the same cache, and CF-RAY indicates which cache gave you the response. For example, the following CF-RAY headear value will indicate responses are passed by the France Server:
6d7d6150da02d781-MRS
https://www.cloudflarestatus.com/
MRS = Marseille
If you and your colleagues do not live in a simillar area, you might be talking to different caches. If I were to try requesting that from the USA, the request wouldnt have been poisoned.
Cloudflare and other CDNs publish their ips online, so itterating through them and poisoning a multitude of caches is a one line job.
ref :
https://youst.in/posts/cache-poisoning-at-scale/
https://hackerone.com/reports/1181946
