webPromedium

SyncSphere — Web Cache Deception via URL Parser Inconsistency

hackadvisor

Task: SyncSphere messaging platform behind nginx reverse proxy; nginx caches /share/* paths by raw URI while Express.js normalizes URL-encoded path traversal, creating a cache deception primitive. Solution: craft /share/..%2fapi%2fauth%2fsession URL that nginx caches but Express routes to the session endpoint, use admin bot /report feature to prime cache with admin's session, then steal the admin token and access /api/admin/flag.

$ ls tags/ techniques/

path_traversal nodejs nginx express admin_bot reverse_proxy path_normalization session_leak anti_bot_decoys web_cache_deception url_parser_inconsistency cache_key

web_cache_deceptionpath_normalization_desyncadmin_bot_cache_primingurl_encoding_inconsistencyproxy_cache_location_matchingsession_token_theft

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 375 — PageFlow — Web Cache Deception via Path Normalization— hackadvisor
[web][Pro]DeployVault — Path Confusion to SSRF Chain— hackadvisor
[web][Pro]Lab 322 — NetPulse — IP Spoofing to RCE via Polling Agent API— hackadvisor
[web][free]Dusty Alleys— hackthebox
[web][Pro]PublishWave — XSS via HTTP Cache Poisoning— hackadvisor