https://squ4r00t.github.io/series/portswigger---web-cache-poisoning/Recent content in Portswigger - Web Cache Poisoning on Offensive security blogHugoen<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Sun, 22 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_unknown_header/Sun, 22 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_unknown_header/<h2 id="lab-description">Lab Description</h2> <p>This lab is vulnerable to web cache poisoning. A victim user will view any comments that you post. To solve this lab, you need to poison the cache with a response that executes <code>alert(document.cookie)</code> in the visitor&rsquo;s browser. However, you also need to make sure that the response is served to the specific subset of users to which the intended victim belongs.</p> <h2 id="solve">Solve</h2> <p>Looking for unkeyed input with param miner, we find the <code>X-Host</code> header:</p>https://squ4r00t.github.io/writeups/cp_combining_vulns/Sun, 22 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_combining_vulns/<h2 id="lab-description">Lab Description</h2> <p>This lab is susceptible to web cache poisoning, but only if you construct a complex exploit chain.</p> <p>A user visits the home page roughly once a minute and their language is set to English. To solve this lab, poison the cache with a response that executes <code>alert(document.cookie)</code> in the visitor&rsquo;s browser.</p> <h2 id="solve">Solve</h2>https://squ4r00t.github.io/writeups/cp_unkeyed_cookie/Sat, 21 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_unkeyed_cookie/<h2 id="lab-description">Lab Description</h2> <p>This lab is vulnerable to web cache poisoning because cookies aren&rsquo;t included in the cache key. An unsuspecting user regularly visits the site&rsquo;s home page. To solve this lab, poison the cache with a response that executes <code>alert(1)</code> in the visitor&rsquo;s browser.</p> <p>Access <a href="https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-cookie">here</a></p> <h2 id="solve">Solve</h2> <p>Intercepting the request to the homepage, we find a cookie <code>fehost=prod-cache-01</code> which is reflected in the response inside a javascript object:</p> <figure><img src="https://squ4r00t.github.io/img/portswigger/cp_unkeyed_cookie/cookie-reflected.png" alt="fehost cookie reflected"><figcaption> <p><code>fehost</code> cookie reflected</p>https://squ4r00t.github.io/writeups/cp_multiple_headers/Sat, 21 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_multiple_headers/<h2 id="lab-description">Lab Description</h2> <p>This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes <code>alert(document.cookie)</code> in the visitor&rsquo;s browser.</p> <blockquote> <p>[!TIP]- Hint This lab supports both the <code>X-Forwarded-Host</code> and <code>X-Forwarded-Scheme</code> headers.</p></blockquote> <p>Access <a href="https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-multiple-headers">here</a></p> <h2 id="solve">Solve</h2> <p>Using <a href="">param miner</a> to guess headers, we find that <code>X-Forwarded-Scheme</code> is an unkeyed headers:</p>https://squ4r00t.github.io/writeups/cp_unkeyed_header/Fri, 20 Feb 2026 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_unkeyed_header/<h2 id="lab-description">Lab Description</h2> <p>This lab is vulnerable to web cache poisoning because it handles input from an unkeyed header in an unsafe way. An unsuspecting user regularly visits the site&rsquo;s home page. To solve this lab, poison the cache with a response that executes <code>alert(document.cookie)</code> in the visitor&rsquo;s browser.</p> <blockquote> <p>[!TIP]- Hint This lab supports the <code>X-Forwarded-Host</code> header.</p></blockquote> <p>Access <a href="https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-with-an-unkeyed-header">here</a></p> <h2 id="finding-unkeyed-inputs">Finding Unkeyed Inputs</h2> <p>The first step is to find unkeyed headers. For this we can use the <a href="">param miner</a> extension in Burp Suite. After running the extension to find unkeyed headers on the home page, we see that <code>X-Forwarded-Host</code> is an unkeyed header:</p>https://squ4r00t.github.io/writeups/cp_dom_xss/Sat, 06 Dec 2025 00:00:00 +0000https://squ4r00t.github.io/writeups/cp_dom_xss/<h2 id="lab-description">Lab Description</h2> <p>This lab contains a DOM-based vulnerability that can be exploited as part of a web cache poisoning attack. A user visits the home page roughly once a minute. Note that the cache used by this lab has stricter criteria for deciding which responses are cacheable, so you will need to study the cache behavior closely.</p> <p>To solve the lab, poison the cache with a response that executes <code>alert(document.cookie)</code> in the visitor&rsquo;s browser.</p>