Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Web cache poisoning with an unkeyed cookie

PRACTITIONER

This lab is vulnerable to web cache poisoning because cookies aren't included in the cache key. An unsuspecting user regularly visits the site's home page. To solve this lab, poison the cache with a response that executes alert(1) in the visitor's browser.

ACCESS THE LAB

Solution

  1. With Burp running, load the website's home page.
  2. In Burp, go to "Proxy" > "HTTP history" and study the requests and responses that you generated. Notice that the first response you received sets the cookie fehost=prod-cache-01.
  3. Reload the home page and observe that the value from the fehost cookie is reflected inside a double-quoted JavaScript object in the response.
  4. Send this request to Burp Repeater and add a cache-buster query parameter.
  5. Change the value of the cookie to an arbitrary string and resend the request. Confirm that this string is reflected in the response.

  6. Place a suitable XSS payload in the fehost cookie, for example:

    fehost=someString"-alert(1)-"someString
  7. Replay the request until you see the payload in the response and X-Cache: hit in the headers.
  8. Load the URL in the browser and confirm the alert() fires.
  9. Go back Burp Repeater, remove the cache buster, and replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.

Community solutions

Michael Sommer (no audio)

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find web cache poisoning vulnerabilities using Burp Suite

Try for free