Lab: Web cache poisoning with an unkeyed cookie
alert(1) in the visitor's browser.
- With Burp running, load the website's home page.
In Burp, go to "Proxy" > "HTTP history" and study the requests and responses that you generated. Notice that the first response you received sets the cookie
Reload the home page and observe that the value from the
- Send this request to Burp Repeater and add a cache-buster query parameter.
- Change the value of the cookie to an arbitrary string and resend the request. Confirm that this string is reflected in the response.
Place a suitable XSS payload in the
fehostcookie, for example:
Replay the request until you see the payload in the response and
X-Cache: hitin the headers.
Load the URL in the browser and confirm the
- Go back Burp Repeater, remove the cache buster, and replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.