25.8 Lab: Web cache poisoning via a fat GET request
This lab is vuln erable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site’s home page using Chrome. To solve the lab, poison the cache with a responds that executes alert(1) in the victim’s browser | Karthikeyan Nagaraj
Description
This lab is vulnerable to web cache poisoning. It accepts GET
requests that have a body, but does not include the body in the cache key. A user regularly visits this site's home page using Chrome.
To solve the lab, poison the cache with a response that executes alert(1)
in the victim's browser.
Solution
- Observe that every page imports the script
/js/geolocate.js
, executing the callback functionsetCountryCookie()
. Send the requestGET /js/geolocate.js?callback=setCountryCookie
to Burp Repeater. - Notice that you can control the name of the function that is called in the response by passing in a duplicate
callback
parameter via the request body. Also notice that the cache key is still derived from the originalcallback
parameter in the request line:
GET /js/geolocate.js?callback=setCountryCookie
…
callback=arbitraryFunction
3. Send the request again, but this time pass in alert(1)
as the callback function. Check that you can successfully poison the cache.
4. Remove any cache busters and re-poison the cache. The lab will solve when the victim user visits any page containing this resource import URL.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng