Lab: Web cache poisoning with an unkeyed cookie
This lab is vulnerable to
alert(1) in the visitor's browser.
Launching labs may take some time, please hold on while we build your environment.
With Burp running, load the website's home page.
In Burp, go to "Proxy" > "HTTP history" and study the requests and responses that you generated. Notice that the first response you received sets the cookie
Reload the home page and observe that the value from the
Send this request to Burp Repeater and add a cache buster query parameter.
Change the value of the cookie to an arbitrary string and resend the request. Confirm that this string is reflected in the response.
Place a suitable
XSS payload in the
fehost cookie, for example:
Replay the request until you see the payload in the response and
X-Cache: hit in the headers.
Load the URL in your browser and confirm the
Go back Burp Repeater, remove the cache buster, and replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.