Try   HackMD

Web Cache Poisoning

Lab: Web cache poisoning with an unkeyed header**

Let me explain a little bit about Web cache before going to the lab.

  1. How do the Web cache the (or HTTP cache) work ?
    When the user send a request first time. Server will send the response and cache the data needed for that's request. If the user send same request second time, server don't need to query to get the data from database and send the data in cache. In this way, your server system is more optimized.

Let catch the any request.


Sending the request first time. X-cache:miss (can't not find the data in cache)


Sending the request second time. X-cache:hit (find the data in cache)


(The HTTP X-Forwarded-Host header is used to identify the original request made by the client.)
In the request, X-Forwarded-Host include "shengngu.com".
In the response, "shengngu.com" is added with /resources/js/tracking.js
By this way, the attacker can control the response which user received.


Going to the exploit server.

Creating the payload.


Add X-Forwarded-Host: attacker.website
Then send the request twice.


The lab is solveddddddd.

https://viblo.asia/p/web-cache-poisoning-reborn-by-james-kettle-yMnKMMXEK7P
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-1-018J2M5a4YK
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-2-EvbLb5koJnk
Dùng extension Param Miner để detect unkeyed values
Varnish Cache
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-3-EoW4ombkLml
Cache parameter cloaking
Web cache -> XSS
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-4-zOQJwAY0VMP
Web cache -> DOS
Bởi URL ban đầu đã đạt đến giới hạn ký tự, nên khi chuyển hướng tới /login/?x=very-long-string có thêm ký tự / đã vượt qua giới hạn, dẫn đến hệ thống không chấp nhận, trả về response lỗi
https://es-la.tenable.com/blog/identifying-web-cache-poisoning-and-web-cache-deception-how-tenable-web-app-scanning-can-help