> Since both hosts were behind the same loadbalancer, it was possible to cache files hosted on redacted-cdn.com under assets.redacted.com, inherently allowing me to move the vulnerable html file on a different domain and achieve xss under a different origin.
Oof that Fastly XSS seems particularly nasty, and no mention of the bounty.
Am I understanding correctly that any website hosted on Fastly was vulnerable to XSS because of this?
>Moreover, ATS generates cache keys by extracting the host, path and query, ignoring the url fragment.
Seems like this should note that browsers don't send the url fragment in the request. It's solely used browser-side. That's why it shouldn't forward the fragment on.
Jesus Christ, this is massive! Props to Youstin, great work. This is the kind of stuff that keeps people on the internet safe from major attacks with fancy names. I hope he got his bounties!
Oof that Fastly XSS seems particularly nasty, and no mention of the bounty.
Am I understanding correctly that any website hosted on Fastly was vulnerable to XSS because of this?