Note(Datetime, Name) : 2025-04-30 Web cache poisoning via a fat GET request

Metodelogy

1. Investigate the system to retrieve a list of features
2. Discribe the feature and explain how it works
3. List possible vulnerabilities and group by feature
4. Proof of concept for possible vulnerabilities
5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

1. GET / -> Home

steps taken:

1. access GET /js/geolocate.js?callback=setCountryCookie&utm_content&utm_content=sdfaf&utm_content=sdfaf&utm_content=sdfaf&utm_content=sdfaf&utm_content=sd&callback=test -> cache miss
2. access GET /js/geolocate.js?callback=setCountryCookie with body callback=test -> cache miss but callback value was overridden to test, try again until cache hit
3. access GET /js/geolocate.js?callback=setCountryCookie without body callback=test-> cahce hit and callback value was still test

vulnerabilities :

1. web cache poisoning in /js/geolocate.js due to the server read improperly reading parameters from body of a GET request

Proof of concept:

1. access GET /js/geolocate.js?callback=setCountryCookie with body callback=alert(1) -> retry until cache hit is observed
2. access to / -> cached malicious javascript is loaded and alert is triggered in victim browser

impact

1. an attacker can inject and store malicious javascript in the cache. When a victim accesses the cache page , the script executes, potentially leading to cookie theft or other XSS-based attacks

takeaways

1. sanitize all query parameter and prevent uninteded behavior from duplicated keys
2. block or ignore body parsing on GET request