25.8 Lab: Web cache poisoning via a fat GET request

This lab is vuln erable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site’s home page using Chrome. To solve the lab, poison the cache with a responds that executes alert(1) in the victim’s browser | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readMay 28, 2024

Description

This lab is vulnerable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site's home page using Chrome.

To solve the lab, poison the cache with a response that executes alert(1) in the victim's browser.

Solution

  1. Observe that every page imports the script /js/geolocate.js, executing the callback function setCountryCookie(). Send the request GET /js/geolocate.js?callback=setCountryCookie to Burp Repeater.
  2. Notice that you can control the name of the function that is called in the response by passing in a duplicate callback parameter via the request body. Also notice that the cache key is still derived from the original callback parameter in the request line:
GET /js/geolocate.js?callback=setCountryCookie

callback=arbitraryFunction

3. Send the request again, but this time pass in alert(1) as the callback function. Check that you can successfully poison the cache.

4. Remove any cache busters and re-poison the cache. The lab will solve when the victim user visits any page containing this resource import URL.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer