I used to wait forever to pass queues on e-commerce websites but now I spend zero days in queue. I was inspired by the reverse engineering challenge so I decided to find and build a proof of concept of a zero day exploit. At the time of the end of the VTHacks X hackathon this will be the first time I was able to find this exploit being disclosed.

What it does

This exploit allows you to reliably skip the waiting room provided by FastlyCDN. FastlyCDN is one of the biggest CDNs and edge compute providers. This exploit uses the default VCL waiting room configuration in order to generate cookies to skip the queue.

How I built it

I man in the middled my laptop in order to understand how the stateless waiting room tracked my position in queue. Through the MITM I was able to see that the page refreshes every 30 seconds and periodically you're given a new cookie. I then found the VCL configuration that described how the cookie is generated and I was able to see that the pseudorandom number generator seeds itself with the waiting room cookie. This exploit abuses the fact that cookies aren't checked for how old they are allowing you to reuse an old cookie to generate a queue passing cookie. The following snippet of VCL describes the exploit:

} else if (var.decision == "wait") {
    set var.seed = std.strtol(substr(var.sig,0,8),16); // Seed PRNG with first 8 bytes of the cookie sig.
    set var.decision = if (randombool_seeded(var.percentage, 100, var.seed), "allow", "re-wait");
    // Passing the queue is decided if the generated number is above a certain number, reusing an old cookie skips the queue.

Challenges I ran into

It was a challenge to understand how the queue worked and how to get through it. Another challenge was getting the proof of concept script to run and succeed in generating a cookie reliably.

Accomplishments that I'm proud of

I am proud that this exploit was able to be written using a short python script consisting of 28 lines of logic. I am also proud of how reliable this waiting room skip is as you can generate a queue skipping cookie with 100% reliability after you pass the queue once.

What I learned

I used Portswigger's burp suite to figure out how the queue functionality works. I also learned how to read VCL to identify issues and understand the logic behind a stateless waiting room.

What's next for Ciphertech - FastlyCDN Queue Skip

The next steps for this exploit is to disclose it to FastlyCDN for a proper mitigation to this issue.

Built With

Share this project: