Lab: Web cache poisoning via an unkeyed query parameter

PRACTITIONER

This lab is vulnerable to web cache poisoning because it excludes a certain parameter from the cache key. A user regularly visits this site's home page using Chrome.

To solve the lab, poison the cache with a response that executes alert(1) in the victim's browser.

Hint

Websites often exclude certain UTM analytics parameters from the cache key.

Access the lab

Solution

Observe that the home page is a suitable cache oracle. Notice that you get a cache miss whenever you change the query string. This indicates that it is part of the cache key. Also notice that the query string is reflected in the response.
Add a cache-buster query parameter.
Use Param Miner's "Guess GET parameters" feature to identify that the parameter utm_content is supported by the application.
Confirm that this parameter is unkeyed by adding it to the query string and checking that you still get a cache hit. Keep sending the request until you get a cache miss. Observe that this unkeyed parameter is also reflected in the response along with the rest of the query string.
Send a request with a utm_content parameter that breaks out of the reflected string and injects an XSS payload:
GET /?utm_content='/><script>alert(1)</script>
Once your payload is cached, remove the utm_content parameter, right-click on the request, and select "Copy URL". Open this URL in the browser and check that the alert() is triggered when you load the page.
Remove your cache buster, re-add the utm_content parameter with your payload, and replay the request until the cache is poisoned for normal users. The lab will be solved when the victim user visits the poisoned home page.

Want to track your progress and have a more personalized learning experience? (It's free!)

In this topic

Web cache poisoning Exploiting cache design flaws Exploiting cache implementation flaws

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here

Lab: Web cache poisoning via an unkeyed query parameter

Hint

Solution

In this topic

All topics

Find web cache poisoning vulnerabilities using Burp Suite

Register for free to track your learning progress