Portswigger - Cache Poisoning with multiple headers

Table of Contents

Web Cache Poisoning - This article is part of a series.

Part 1: Portswigger - Cache Poisoning with an Unkeyed Header

Part 2: Portswigger - Cache Poisoning with an Unkeyed Cookie

Part 3: This Article

Part 4: Portswigger - Cache Poisoning with an Unknown Header

Part 10: Portswigger - Cache Poisoning to DOM XSS

Part 11: Portswigger - Combining web cache poisoning vulnerabilities

Lab Description
#

This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes alert(document.cookie) in the visitor’s browser.

Hint

This lab supports both the X-Forwarded-Host and X-Forwarded-Scheme headers.

Access here

Solve
#

Using param miner to guess headers, we find that X-Forwarded-Scheme is an unkeyed headers:

X-Forwarded-Scheme header found by Param Miner

If we send a request to the homepage containing the X-Forwarded-Scheme: http, we get a 302 redirect:

Let’s see if we can alter the location of the redirect using the X-Forwarded-Host header:

Redirect location altered with X-Forwarded-Host header

As we can see, we can redirect to any domain we want. All we have to do now is to host a script that executes alert(document.cookie) on the exploit server at the path /exploit/resources/js/tracking.js and change the redirect domain to the exploit server’s. This way, whenever a user tries to import the tracking.js script they will instead load our malicious script: