Lab: Targeted web cache poisoning using an unknown header
This lab is vulnerable to web cache poisoning. A user visits the home page roughly once a minute. The user also views any comments you post. To solve this lab, you need to poison the cache with a response that executes
alert(document.cookie) in the visitor's browser. However, you also need to make sure that the response is served to the specific subset of users to which the intended victim belongs.
Solving this lab requires multiple steps. First, you need to identify where the vulnerability is and study how the cache behaves. You then need to find a way of targeting the right subset of users before finally poisoning the cache accordingly.
- With Burp running, load the website's home page.
In Burp, go to "Proxy" > "HTTP history" and study the requests and responses that you generated. Find the
GETrequest for the home page.
With the Param Miner extension enabled, right-click on the request and select "Guess headers". After a while, Param Miner will report that there is a secret input in the form of the
GETrequest to Burp Repeater and add a cache-buster query parameter.
X-Hostheader with an arbitrary hostname, such as
Go to the exploit server and change the file name to match the path used by the vulnerable response:
In the body, enter the payload
alert(document.cookie)and store the exploit.
Go back to the request in Burp Repeater and set the
X-Hostheader as follows, remembering to add your own exploit server ID:
Send the request until you see your exploit server URL reflected in the response and
X-Cache: hitin the headers.
To simulate the victim, load the URL in your browser and make sure that the
Notice that the
Varyheader is used to specify that the
User-Agentis part of the cache key. To target the victim, you need to find out their
On the website, notice that the comment feature allows certain HTML tags. Post a comment containing a suitable payload to cause the victim's browser to interact with your exploit server, for example:
<img src="https://your-exploit-server-id.web-security-academy.net/foo" />
- Go to the blog page and double-check that your comment was successfully posted.
Go to the exploit server and click the button to open the "Access log". Refresh the page every few seconds until you see requests made by a different user. This is the victim. Copy their
User-Agentfrom the log.
Go back to your malicious request in Burp Repeater and paste the victim's
User-Agentinto the corresponding header. Remove the cache buster.
Keep sending the request until you see your exploit server URL reflected in the response and
X-Cache: hitin the headers.
- Replay the request to keep the cache poisoned until the victim visits the site and the lab is solved