The website excludes a certain UTM analytics parameter.
Lab: Parameter cloaking
This lab is vulnerable to web cache poisoning because it excludes a certain parameter from the cache key. There is also inconsistent parameter parsing between the cache and the back-end. A user regularly visits this site's home page using Chrome.
To solve the lab, use the parameter cloaking technique to poison the cache with a response that executes alert(1)
in the victim's browser.
Hint
Solution
-
Identify that the
utm_content
parameter is supported. Observe that it is also excluded from the cache key. -
Notice that if you use a semicolon (
;
) to append another parameter toutm_content
, the cache treats this as a single parameter. This means that the extra parameter is also excluded from the cache key. Alternatively, with Param Miner loaded, right-click on the request and select "Bulk scan" > "Rails parameter cloaking scan" to identify the vulnerability automatically. -
Observe that every page imports the script
/js/geolocate.js
, executing the callback functionsetCountryCookie()
. Send the requestGET /js/geolocate.js?callback=setCountryCookie
to Burp Repeater. -
Notice that you can control the name of the function that is called on the returned data by editing the
callback
parameter. However, you can't poison the cache for other users in this way because the parameter is keyed. -
Study the cache behavior. Observe that if you add duplicate
callback
parameters, only the final one is reflected in the response, but both are still keyed. However, if you append the secondcallback
parameter to theutm_content
parameter using a semicolon, it is excluded from the cache key and still overwrites the callback function in the response:GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=arbitraryFunction HTTP/1.1 200 OK X-Cache-Key: /js/geolocate.js?callback=setCountryCookie … arbitraryFunction({"country" : "United Kingdom"})
-
Send the request again, but this time pass in
alert(1)
as the callback function:GET /js/geolocate.js?callback=setCountryCookie&utm_content=foo;callback=alert(1)
-
Get the response cached, then load the home page in the browser. Check that the
alert()
is triggered. - Replay the request to keep the cache poisoned. The lab will solve when the victim user visits any page containing this resource import URL.
Community solutions
Jarno Timmermans
Intigriti
Register for free to track your learning progress
-
Practise exploiting vulnerabilities on realistic targets.
-
Record your progression from Apprentice to Expert.
-
See where you rank in our Hall of Fame.
Already got an account? Login here