-
Observe that every page imports the script
/js/geolocate.js, executing the callback functionsetCountryCookie(). Send the requestGET /js/geolocate.js?callback=setCountryCookieto Burp Repeater. -
Notice that you can control the name of the function that is called in the response by passing in a duplicate
callbackparameter via the request body. Also notice that the cache key is still derived from the originalcallbackparameter in the request line:GET /js/geolocate.js?callback=setCountryCookie … callback=arbitraryFunction HTTP/1.1 200 OK X-Cache-Key: /js/geolocate.js?callback=setCountryCookie … arbitraryFunction({"country" : "United Kingdom"}) -
Send the request again, but this time pass in
alert(1)as the callback function. Check that you can successfully poison the cache. - Remove any cache busters and re-poison the cache. The lab will solve when the victim user visits any page containing this resource import URL.
Lab: Web cache poisoning via a fat GET request
This lab is vulnerable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site's home page using Chrome.
To solve the lab, poison the cache with a response that executes alert(1) in the victim's browser.
