This lab is vulnerable to web cache poisoning because it handles input from an unkeyed header in an unsafe way. A user visits the homepage roughly once every minute. To solve this lab, poison the cache with a response that executes
alert(document.cookie) in the visitor's browser.
Tip: This lab supports the
GETrequest for the home page and send it to Burp Repeater.
X-Forwarded-Hostheader with an arbitrary hostname, such as
example.com, and send the request.
X-Cache: hit. This tells us that the response came from the cache.
alert(document.cookie)and store the exploit.
GETrequest for the home page in Burp Repeater and remove the cache buster.
X-Cache: hitin the headers.
alert()is triggered. Note that you have to perform this test before the cache expires. The cache on this lab expires every 30 seconds.