Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

Varnish Unauthenticated Cache Purge

By kannthu

Low
Vidoc logoVidoc Module
#misconfig#cache#hackerone#varnish
Description

What is the "Varnish Unauthenticated Cache Purge?" module?

The "Varnish Unauthenticated Cache Purge" module is designed to detect a misconfiguration in the Varnish software that allows unauthenticated cache purges. Varnish is a popular HTTP accelerator and caching reverse proxy that improves website performance by storing copies of web pages in memory.

This module focuses on the vulnerability of unauthenticated cache purges, which can be exploited by unauthorized users to clear the cache and potentially expose sensitive information or disrupt the website's performance.

This module has a severity level of low, indicating that while it is a potential security risk, the impact is not severe.

Author: 0xelkomy

Impact

If the Varnish Unauthenticated Cache Purge vulnerability is present, it can allow unauthorized individuals to clear the cache, potentially leading to the exposure of sensitive information or disruption of the website's performance. This can result in compromised user data, decreased user experience, and potential reputational damage for the affected website.

How does the module work?

The "Varnish Unauthenticated Cache Purge" module works by sending HTTP requests to the target website and analyzing the responses to determine if the cache purge is unauthenticated. It uses specific matching conditions to identify the presence of the vulnerability.

One of the matching conditions checks for the presence of the "<title>200 Purged</title>" string in the response body, indicating a successful cache purge. Another condition verifies that the HTTP response status code is 200, confirming that the cache purge was executed.

By combining these matching conditions, the module can identify if the Varnish cache purge functionality is accessible without proper authentication.

Example HTTP request:

GET / HTTP/1.1
Host: example.com

Matching conditions:

- Response body contains "<title>200 Purged</title>" or "\"status\": \"ok\"" - HTTP response status code is 200

When both of these conditions are met, the module flags the vulnerability and reports it as a potential security issue.

For more information, refer to the following resources:

- Varnish Cache Invalidation Guidelines - HackerOne Report on Varnish Cache Purge Vulnerability

Metadata:

- Max request: 1

Module preview

Concurrent Requests (0)
Passive global matcher
word: <title>200 Purged</title>, "status": "ok...and
status: 200
On match action
Report vulnerability