Lab: Cache key injection

EXPERT

This lab contains multiple independent vulnerabilities, including cache key injection. A user regularly visits this site's home page using Chrome.

To solve the lab, combine the vulnerabilities to execute alert(1) in the victim's browser. Note that you will need to make use of the Pragma: x-get-cache-key header in order to solve this lab.

Hint

Solving this lab requires an understanding of several other web vulnerabilities. If you're still having trouble solving it after several hours, we recommend completing all other topics on the Web Security Academy first.

Access the lab

Solution

Observe that the redirect at /login excludes the parameter utm_content from the cache key using a flawed regex. This allows you append arbitrary unkeyed content to the lang parameter:
/login?lang=en?utm_content=anything
Observe that the page at /login/ has an import from /js/localize.js. This is vulnerable to client-side parameter pollution via the lang parameter because it doesn't URL-encode the value.
Observe that the login page references an endpoint at /js/localize.js that is vulnerable to response header injection via the Origin request header, provided the cors parameter is set to 1.
Use the Pragma: x-get-cache-key header to identify that the server is vulnerable to cache key injection, meaning the header injection can be triggered via a crafted URL.
Combine these four behaviors by poisoning the cache with following two requests:
GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ GET /login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23 HTTP/1.1
This will poison /login?lang=en such that it redirects to a login page with a poisoned localization import that executes alert(1), solving the lab.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Web cache poisoning Exploiting cache design flaws Exploiting cache implementation flaws

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: Cache key injection

Hint

Solution

In this topic

All topics

Find web cache poisoning vulnerabilities using Burp Suite

Register for free to track your learning progress