Skip to main content
squ4r00t’s

Portswigger - Cache Poisoning with an Unkeyed Cookie

·118 words·1 min
squ4r00t
Author
squ4r00t
red teamer
Table of Contents
Web Cache Poisoning - This article is part of a series.
Part 1: Portswigger - Cache Poisoning with an Unkeyed Header
Part 2: This Article
Part 3: Portswigger - Cache Poisoning with multiple headers
Part 4: Portswigger - Cache Poisoning with an Unknown Header
Part 10: Portswigger - Cache Poisoning to DOM XSS
Part 11: Portswigger - Combining web cache poisoning vulnerabilities

Lab Description
#

This lab is vulnerable to web cache poisoning because cookies aren’t included in the cache key. An unsuspecting user regularly visits the site’s home page. To solve this lab, poison the cache with a response that executes alert(1) in the visitor’s browser.

Access here

Solve
#

Intercepting the request to the homepage, we find a cookie fehost=prod-cache-01 which is reflected in the response inside a javascript object:

fehost cookie reflected

To exploit, we can set the cookie value to prod-cache-01"}%3balert(1)%3b// allowing us to break out of the string and the javascript object and inject our own code alert(1).

Poisoning the cache

Going back to the homepage, we see that we solved the lab:

Lab solved!
Web Cache Poisoning - This article is part of a series.
Part 1: Portswigger - Cache Poisoning with an Unkeyed Header
Part 2: This Article
Part 3: Portswigger - Cache Poisoning with multiple headers
Part 4: Portswigger - Cache Poisoning with an Unknown Header
Part 10: Portswigger - Cache Poisoning to DOM XSS
Part 11: Portswigger - Combining web cache poisoning vulnerabilities