Web cache poisoningΒΆ
Web cache poisoning is an advanced technique whereby an attacker exploits the behaviour of a web server and cache so that a harmful HTTP response is served to other users.
A poisoned web cache can potentially be a devastating means of distributing numerous different attacks, exploiting vulnerabilities such as XSS, JavaScript injection, open redirection, and so on.
Still found in web apps using CDNs, reverse proxies, or caching layers.
Still a threat due to complex caching systems (misconfigs in Varnish, Cloudflare, Fastly, etc.), attackers using chained attacks to poison at scale (HTTP Request Smuggling + Cache Poisoning), and unkeyed inputs (Headers like X-Forwarded-Host can alter cached responses).
Test if the app uses caching layers:
- Web cache poisoning with an unkeyed header
- Web cache poisoning with an unkeyed cookie
- Web cache poisoning with multiple headers
- Targeted web cache poisoning using an unknown header
- Web cache poisoning via an unkeyed query string
- Web cache poisoning via an unkeyed query parameter
- Parameter cloaking
- Web cache poisoning via a fat GET request
- URL normalisation
- Web cache poisoning to exploit a DOM vulnerability via a cache with strict cacheability criteria
- Combining web cache poisoning vulnerabilities
- Cache key injection
- Internal cache poisoning
Last update:
2025-05-12 14:16