Summary:
A Cache Poisoned Denial of Service (CPDoS) vulnerability was identified on an important endpoint from Grab's HackerOne Bug Bounty Program, where injecting a CRLF sequence into an HTTP request header caused upstream 502 Bad Gateway or 504 Gateway Timeout responses to be cached and served to unrelated users.
The attack requires only two carefully timed requests, works across IPs and regions and results in a persistent denial of service without resource exhaustion. The root cause is lack of input validation, unsafe header handling combined with improper caching of error responses.
Background:
While researching HTTP Request Smuggling on the target, i noticed repeated 502 Bad Gateway responses even after removing smuggling payloads. Further inspection revealed an incrementing Age header, serving the error cross IP and cross country!
These signs showed cache involvement and reminded me of previously documented CPDoS techniques described by James Kettle (@albinowax).
I reported my findings on 2 October 2025 with a detailed description and PoC video, the issue was ultimately classified as out of scope under "Denial of Service." As a result, I chose not to publish the exact endpoint to avoid unnecessary risk.
Root cause:
- CRLF injection in a custom request header
- Weak input validation
- Weak input sanitization
- Upstream parsing failure ( triggering the 502 or 504 )
- Improper caching of error responses
- Cache key insufficiently varying on poisoned input
Because the poisoned response is cached, all future requests are served the error until cache expiration ( which is a short lived 10 seconds ).
This is not:
- Bandwidth exhaustion
- CPU exhaustion
- Request flooding
- Any other form of DoS testing.
It is a logic layer cache poisoning vulnerability which got misclassified as a generic Denial of Service ( which would obviously be out of scope ). This made the analysts deem my finding as "N/A Out of scope" which appears to stem from a misinterpretation of CPDoS as a traditional resource exhaustion DoS issue..
Method of testing:
I wont share my PoC out of safety considerations, but the method of testing is more important in my eyes.
This was done without any tooling, just manual probing and observing the endpoints responses. I spend weeks on this endpoint because i just felt it was vulnerable, eventually it payed of. It was trivial to be creative while testing and not only test for known payloads or techniques but really think out side of the box and push the endpoint to its limit.
From the moment i observed the strange behavior i started eliminating variables to see what the actual cause was until i concluded it was the CRLF injection. While testing i saved all interesting responses in my Joplin notebook which helped a lot to spot the pattern, make my mental image more clear and the final report as well.
Impact:
- Persistent denial of service for Grab's users
- Cross IP and cross region cache poisoning
- Low attacker cost ( 2 sequential requests per cache window )
- Scales horizontally with shared caches or CDNs
- Works over HTTP/1 and HTTP/2
An attacker can maintain availability loss indefinitely using low frequency, precisely timed requests making detection difficult.
Tips for fellow hunters:
Mess around with the endpoint dont give up too early, findings like these are really fun and rewarding when found. Test manually as tools get used by everyone, including dev or security teams. Use a note taking app to document all your engagements this will be a huge asset for you! And as seen in this report, i did not get paid due to the out of scope classification but the lessons learned here have way more value.
Ethical notes:
This issue was reported responsibly via HackerOne, and multiple attempts were made to coordinate disclosure and request publication guidance. After waiting more than 90 days without response, this writeup is published in good faith. I also found this vulnerability without testing for DoS, it fell in my lap while testing for HTTP Smuggling techniques ( no harm or lame DoS intended ).
Thank you for reading and happy hunting!