This lab contains a web cache poisoning vulnerability that is only exploitable when you use multiple headers to craft a malicious request. A user visits the home page roughly once a minute. To solve this lab, poison the cache with a response that executes
alert(document.cookie) in the visitor's browser.
Tip: This lab supports both the
/resources/js/tracking.jsand send it to Burp Repeater.
X-Forwarded-Hostheader with an arbitrary hostname, such as
example.com. Notice that this doesn't seem to have any effect on the response.
X-Forwarded-Hostheader and add the
X-Forwarded-Schemeheader instead. Notice that if you include any value other than
HTTPS, you receive a 302 response. The
Locationheader shows that you are being redirected to the same URL that you requested, but using
X-Forwarded-Host: example.comheader back to the request, but keep
X-Forwarded-Scheme: nothttpsas well. Send this request and notice that the
Locationheader of the 302 redirect now points to
alert(document.cookie)and store the exploit.
X-Forwarded-Hostheader as follows, remembering to enter your own exploit server ID:
X-Forwarded-Schemeheader is set to anything other than
X-Cache: hitin the headers.
alert(document.cookie). Note that the
alert()won't actually execute here.