Web Cache Poison
Identify cacheable resources:
Use a tool like
Burp Suite
or browser developer tools to inspect the response headers of a web page.Look for cache-control headers (
Cache-Control
,Expires
,Vary
) that indicate the response is cacheable by intermediaries (e.g., CDNs, proxies).
Find input that affects the response:
Check if parts of the HTTP request (such as query parameters or headers like
Host
,X-Forwarded-For
) affect the response content.
Test for reflection of malicious content:
Inject payloads that might poison the cache. For example:
Use a parameter like
?search=<script>alert(1)</script>
and see if the response reflects this input.
Poison the cache:
Craft a malicious payload and inject it into a cacheable response. This could be as simple as modifying the
Host
header or using query strings to deliver a malicious script:E.g.,
GET /index.html?lang=<script>alert(1)</script>
.
Verify cache poisoning:
Access the resource from a different browser or device to see if the poisoned response is served from the cache to other users.
Deliver payload to multiple victims:
Once the cache is poisoned, any user accessing the resource will receive the malicious payload until the cache is purged or updated.
Common attack vectors:
HTTP headers like
Host
,X-Forwarded-Host
, orX-Forwarded-For
.Query parameters that affect the response in a cacheable way.
Identify and evaluate unkeyed inputs
To automate the process of identifying unkeyed inputs by use Param Miner, you simply right-click on a request that you want to investigate and click "Guess headers" or "Guess parameters"
Elicit a harmful response from the back-end server
Get the response cached
Amigious body
Overwrite param by body
Unkeyed header
Hosting on the exploit server, injecting the X-Forwarded-Host
header in request(script tracking forwarded request with script on /resources/js/tracking.js), and poison the cache until victim hits poison cache. On exploit server:
Unkeyed parameter
Parameter cloaking
Param Miner extension doing a Bulk scan > Rails parameter cloaking scan
The callback
parameter is keyed, and thus cannot poison cache for victim user, but by combine duplicate parameter with utm_content
it then excluded and cache can be poisoned.
Posion ambigous request
Identify that cache hit headers in responses, then test if the target support X-Forwarded-Host
or X-Forwarded-Scheme
headers. These headers can allow for the stealing of victim session cookie.
Last updated