Web Cache Poisoning

Introduction

Using this technique, an attacker can manipulate a web-cache to serve poisoned content to anyone who requests it. This relies on the ability to poison the caching proxy run by the application itself, CDNs, or other downstream providers. As a result, the victim will have no control over receiving the malicious content when requesting the vulnerable application.

GET / HTTP/1.1
Host: www.attacker.com
[...]

The following will be served from the web cache, when a victim visits the vulnerable application.

[...]
<link src="http://www.attacker.com/link" />
[...]

REFERENCES

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection
https://portswigger.net/web-security/host-header/exploiting#web-cache-poisoning-via-the-host-header

PreviousPassword Reset Poisoning NextAccessing Restricted Functionality

Last updated 2 months ago