Web cache poisoning is a technique used by attackers to compromise a web application’s cache in order to inject malicious content or redirect traffic to a different location. Cache poisoning attacks are a serious threat to web applications, as they can be used to spread malware, steal user credentials, and perform other malicious activities.
In this article, we will discuss the concept of web cache poisoning, its impact on web applications, and provide a proof-of-concept (POC) of how an authorized user can perform a cache poisoning attack.
What us Web Cache Poisoning?
Web cache poisoning is a type of attack that targets the cache of a web application. The cache is a mechanism used by web applications to store frequently accessed content, such as images, videos, and static pages. When a user requests a resource from a web application, the cache checks if the resource is present in the cache. If the resource is present in the cache, it is served to the user without the need to fetch it from the server.
Web cache poisoning attacks involve injecting malicious content into the cache of a web application. This is achieved by manipulating the HTTP headers or parameters that control the caching behavior of the web application. By doing so, attackers can trick the web application into caching a malicious resource instead of the legitimate resource.
Impact of Web Cache Poisoning:
Web cache poisoning attacks can have a significant impact on web applications. For example, attackers can use this technique to:
- Inject malicious content: Attackers can inject malicious content into the cache of a web application, which can be served to unsuspecting users. This content can include malware, phishing pages, or other forms of malicious content.
- Redirect traffic: Attackers can redirect traffic to a different location by manipulating the HTTP headers or parameters that control the caching behavior of the web application. This can be used to redirect users to a phishing site or other malicious site.
- Steal user credentials: Attackers can steal user credentials by serving a phishing page from the cache of a web application. When a user enters their credentials into the phishing page, the attacker can capture them.
Proof of Concept :
To demonstrate this, I’m using portswigger Lab.
Steps to Reproduce :
- With Burp running, load the website’s home page
- In Burp, go to “Proxy” > “HTTP history” and study the requests and responses that you generated. Find the
GETrequest for the home page and send it to Burp Repeater.
- Add a cache-buster query parameter, such as
- Add the
X-Forwarded-Hostheader with an arbitrary hostname, such as
example.com, and send the request.
- Observe that the
- Replay the request and observe that the response contains the header
X-Cache: hit. This tells us that the response came from the cache.
- Go to the exploit server and change the file name to match the path used by the vulnerable response:
- In the body, enter the payload
alert(document.cookie)and store the exploit.
- Open the
GETrequest for the home page in Burp Repeater and remove the cache buster.
- Add the following header, remembering to enter your own exploit server ID:
- Send your malicious request. Keep replaying the request until you see your exploit server URL being reflected in the response and
X-Cache: hitin the headers.
- To simulate the victim, load the poisoned URL in the browser and make sure that the
alert()is triggered. Note that you have to perform this test before the cache expires. The cache on this lab expires every 30 seconds.
Free Account Takeover Labs
If you are searching for Account takeover labs that are free, then you can visit our website. We have beautiful Account takeover Labs in which you can gain good experience while completing the labs.
Account Takeover Labs Link: https://bepractical.tech/account-takeover-labs/
Join our telegram channel over here and stay updated with the latest trends going in cybersecurity.