Analysis of 8 Foundational Cache Poisoning Attacks (HackerOne, GitHub, Shopify) – Part 1

Hi everyone, I’ve been doing a deep dive into Cache Poisoning to understand how the vulnerability class has evolved over the last decade. While modern attacks involve complex gadgets and framework confusion, I realized that to truly understand them, you have to look at the “Foundational” attacks—the early logic flaws that started it all. I analyzed 8 historical case studies from public bug bounty reports. Here are the 3 most interesting patterns that paved the way for modern exploitation: 1. The HackerOne Classic (2014) The Flaw: The server trusted the X-Forwarded-Host header without validation. The Attack: Sending X-Forwarded-Host: evil.com caused the application to generate a redirect to the attacker’s domain. The Impact: The cache stored this redirect. Any legitimate user trying to visit HackerOne was seamlessly redirected to the attacker’s site. 2. GitHub’s Content-Type DoS The Flaw: GitHub handled Content-Type headers differently for the cache vs. the backend. The Attack: An attacker could send a request with a malformed content type. The backend would return an error, but the cache would store that error for all unauthenticated users visiting that repo. The Result: A simple request could DoS a repository for everyone. 3. The Cloudflare Capitalization Bug The Flaw: Cloudflare normalized headers (converting TaRgEt.CoM to target.com for the cache key), but the origin server treated them as distinct. The Impact: This allowed attackers to bypass cache keys and poison the response for a massive number of websites behind the CDN. Why this matters today: Even though these are “old” reports, these exact logic flaws (normalization issues, unkeyed headers) are what cause the complex CP-DoS and secondary-context attacks we see in modern frameworks like Next.js today. I wrote a full breakdown of all 8 case studies (including Shopify, GitLab, and Red Hat) if you want to see the specific request/response pairs. Read the Full Analysis (Part 1) Let me know if you have any questions about the mechanics of these early bugs! submitted by /u/Empty_Hacker [link] [comments]Technical Information Security Content & DiscussionRead More