gotr00t@cachepurge:~$

Unauthorized Cache Purge Access

The PURGE HTTP method is accessible without authentication

Let's start by explaining cache purging.

Cache purging is a legitimate mechanism that allows removal of cached content from CDN/cache servers. It's designed to:

  1. Clear outdated content
  2. Force cache refresh
  3. Remove specific files from cache
  4. Update content immediately

I decided to check if the purge HTTP method was possible. With a simple curl command you can check the response of the server.

curl -X PURGE https://target.com

PURGE method response showing status ok with ID

As you can see in the image, it returned a status of ok with an id, this means the PURGE method is available without authentication. What does this even mean and what can I do with this? If the method is available anyone can clear the website's cache.

What's the impact?

  1. Forces all requests to origin server
  2. Causes severe performance degradation
  3. Potential server overload and crash
  4. Affects ALL website visitors

Further testing reveals that it works on multiple endpoints. This is an automated script I wrote in python to check multiple endpoints, the wildcard * means you can purge all cached content on that specific endpoint.

Python script output showing successful PURGE requests on multiple endpoints

This is a SOLID bug bounty finding with clear business impact and easy reproduction!

HAPPY HACKING