Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria

Description

This lab contains a DOM-based vulnerability that can be exploited as part of a web cache poisoning attack. A user visits the home page roughly once a minute. The cache used by this lab has stricter criteria for deciding which responses are cacheable, so a study of the cache behaviour is necessary.

Reproduction and proof of concept

  1. With Burp running, open the website’s home page.

  2. In Burp, go to Proxy -> HTTP history and study the requests and responses that you generated. Find the GET request for the home page and send it to Burp Repeater.

  3. Use Param Miner to identify that the X-Forwarded-Host header is supported.

Web cache poisoning

Web cache poisoning

  1. Add a cache buster to the request, as well as the X-Forwarded-Host header with an arbitrary hostname, such as example.com. Notice that this header overwrites the data.host variable, which is passed into the initGeoLocate() function.

Web cache poisoning

  1. Study the initGeoLocate() function in /resources/js/geolocate.js and notice that it is vulnerable to DOM-XSS due to the way it handles the incoming JSON data.

Web cache poisoning

Web cache poisoning

  1. Go to the exploit server and change the file name to match the path used by the vulnerable response /resources/json/geolocate.json; In the head, add the header Access-Control-Allow-Origin: * to enable CORS; In the body, add a malicious JSON object that matches the one used by the vulnerable website. However, replace the value with a suitable XSS payload:

Web cache poisoning

  1. Store the exploit.

  2. Back in Burp, find the request for the home page and send it to Burp Repeater.

  3. In Burp Repeater, change the X-Forwarded-Host header value to that of the exploit server.

  4. Send the request until you see your exploit server URL reflected in the response and X-Cache: hit in the headers.

Web cache poisoning

If this does not work, notice that the response contains the Set-Cookie header. Responses containing this header are not cacheable on this site. Reload the home page to generate a new request, which should have a session cookie already set.

1Send this new request to Burp Repeater and repeat the steps above until you successfully poison the cache.

Web cache poisoning

  1. Remove the buster, and to simulate the victim, load the URL in the browser and make sure that the alert() fires.

Web cache poisoning

  1. Replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.

Web cache poisoning

Exploitability

An attacker will need to use the X-Forwarded-Host header value to poison the cache with a response that executes alert(document.cookie) in the visitor’s browser.