25.2 Lab: Web cache poisoning with an unkeyed cookie

This lab is vulnerable to web cache poisoning because cookies aren’t inc luded in the cache key. An unsuspecting user regularly visits the site’s home page. To solve this lab, poison the cache with a response that executes alert(1) in the visitor’s browser | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 22, 2024

Description

This lab is vulnerable to web cache poisoning because cookies aren’t included in the cache key. An unsuspecting user regularly visits the site’s home page. To solve this lab, poison the cache with a response that executes alert(1) in the visitor's browser.

Solution

  1. With Burp running, load the website’s home page.
  2. In Burp, go to “Proxy” > “HTTP history” and study the requests and responses that you generated. Notice that the first response contains a cookie fehost=prod-cache-01.
  3. Send this request to Burp Repeater.
  4. Place a suitable XSS payload in the fehost cookie, for example:
    fehost=someString"-alert(1)-"someString
  5. Resend the request until you see the payload in the response and X-Cache: hit in the headers.
  6. Once you get the hit, right click on response, click show response in browser then load the URL in the browser and confirm the alert() fires to solve the lab.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer