Websites often exclude certain UTM analytics parameters from the cache key.
Lab: Web cache poisoning via an unkeyed query parameter
This lab is vulnerable to web cache poisoning because it excludes a certain parameter from the cache key. A user regularly visits this site's home page using Chrome.
To solve the lab, poison the cache with a response that executes
alert(1) in the victim's browser.
- Observe that the home page is a suitable cache oracle. Notice that you get a cache miss whenever you change the query string. This indicates that it is part of the cache key. Also notice that the query string is reflected in the response.
- Add a cache-buster query parameter.
Use Param Miner's "Guess GET parameters" feature to identify that the parameter
utm_contentis supported by the application.
- Confirm that this parameter is unkeyed by adding it to the query string and checking that you still get a cache hit. Keep sending the request until you get a cache miss. Observe that this unkeyed parameter is also reflected in the response along with the rest of the query string.
Send a request with a
utm_contentparameter that breaks out of the reflected string and injects an XSS payload:
Once your payload is cached, remove the
utm_contentparameter, right-click on the request, and select "Copy URL". Open this URL in the browser and check that the
alert()is triggered when you load the page.
Remove your cache buster, re-add the
utm_contentparameter with your payload, and replay the request until the cache is poisoned for normal users. The lab will be solved when the victim user visits the poisoned home page.