Lab Description

This lab is vulnerable to web cache poisoning. A victim user will view any comments that you post. To solve this lab, you need to poison the cache with a response that executes alert(document.cookie) in the visitor’s browser. However, you also need to make sure that the response is served to the specific subset of users to which the intended victim belongs.

Solve

Looking for unkeyed input with param miner, we find the X-Host header:

X-Host header found!

X-Host header found!

We then notice that this header can be used to change the location from which the tracking.js script is loaded:

X-Host header effect on the response

X-Host header effect on the response

We also notice that the User-Agent is part of the cache key. So to target the victim, we’d need to know their user-agent first. Looking back at the lab description, we see:

A victim user will view any comments that you post.

Additionally, html is allowed in the comments:

HTML allowed!

HTML allowed!

So we can try to add an image to our comment that points to our exploit server in order to leak the User-Agent of the victim:

HTML comment to leak victim’s User-Agent

HTML comment to leak victim’s User-Agent

If we now go in the Access logs of the exploit server, we can find the User-Agent of the victim:

Victim’s User-Agent

Victim’s User-Agent

Now that we have it, host alert(document.cookie) on the exploit server and poison the cache using the victim’s user-agent as our own:

Exploit Server Setup

Exploit Server Setup

Poisoning the cache

Poisoning the cache

After a few seconds, the lab will be solved:

Lab solved!

Lab solved!