Lab: Cache key injection
This lab contains multiple independent vulnerabilities, including cache key injection. A user regularly visits this site's home page using Chrome.
To solve the lab, combine the vulnerabilities to execute
alert(1) in the victim's browser. Note that you will need to make use of the
Pragma: x-get-cache-key header in order to solve this lab.
Solving this lab requires an understanding of several other web vulnerabilities. If you're still having trouble solving it after several hours, we recommend completing all other topics on the Web Security Academy first.
Observe that the redirect at
/loginexcludes the parameter
utm_contentfrom the cache key using a flawed regex. This allows you append arbitrary unkeyed content to the
Observe that the page at
/login/has an import from
/js/localize.js. This is vulnerable to client-side parameter pollution via the
langparameter because it doesn't URL-encode the value.
Observe that the login page references an endpoint at
/js/localize.jsthat is vulnerable to response header injection via the
Originrequest header, provided the
corsparameter is set to
Pragma: x-get-cache-keyheader to identify that the server is vulnerable to cache key injection, meaning the header injection can be triggered via a crafted URL.
Combine these four behaviors by poisoning the cache with following two requests:
GET /js/localize.js?lang=en?utm_content=z&cors=1&x=1 HTTP/1.1 Origin: x%0d%0aContent-Length:%208%0d%0a%0d%0aalert(1)$$$$ GET /login?lang=en?utm_content=x%26cors=1%26x=1$$Origin=x%250d%250aContent-Length:%208%250d%250a%250d%250aalert(1)$$%23 HTTP/1.1
This will poison
/login?lang=ensuch that it redirects to a login page with a poisoned localization import that executes
alert(1), solving the lab.