Web cache poisoning with an unkeyed cookie¶

Description¶

This lab is vulnerable to web cache poisoning because cookies aren’t included in the cache key. An unsuspecting user regularly visits the site’s home page.

Reproduction and proof of concept¶

1. With Burp running, load the website’s home page.

2. In Burp, go to Proxy -> HTTP history and study the requests and responses generated. Notice that the first response received sets the cookie fehost=prod-cache-01.

3. Reload the home page and observe that the value from the fehost cookie is reflected inside a double-quoted JavaScript object in the response.

<script>
    data = {
        "host":"0a500060032ac28dc2a811090016009c.web-security-academy.net",
        "path":"/",
        "frontend":"prod-cache-01"
    }
</script>

4. Send the request to Burp Repeater and add a cache-buster query parameter, such as ?cb=1234.

5. Change the value of the cookie to an arbitrary string and resend the request. Confirm that this string is reflected in the response.

6. Place a suitable XSS payload in the fehost cookie, for example:

fehost=someString"-alert(1)-"someString

7. Replay the request until you see the payload in the response and X-Cache: hit in the headers.

8. Load the URL in your browser and confirm the alert() fires.

9. Go back Burp Repeater, remove the cache buster, and replay the request to keep the cache poisoned until the victim visits the site and the lab is solved.

Exploitability¶

An attacker will need to poison the cache with a response that executes alert(1) in the visitor’s browser.