Web cache poisoning via an unkeyed query parameter
This lab is vulnerable to web cache poisoning because it excludes a certain parameter from the cache key. A user regularly visits this site’s home page using Chrome.
Reproduction and proof of concept
Observe that the home page is a suitable cache oracle. Notice that you get a cache miss whenever you change the query string. This indicates that it is part of the cache key. Also notice that the query string is reflected in the response.
Add a cache-buster query parameter.
Use Param Miner’s Guess GET parameters feature to identify that the parameter
utm_contentis supported by the application.
Confirm that this parameter is unkeyed by adding it to the query string and checking that you still get a cache hit. Keep sending the request until you get a cache miss. Observe that this unkeyed parameter is also reflected in the response along with the rest of the query string.
Send a request with a
utm_contentparameter that breaks out of the reflected string and injects an XSS payload:
Once your payload is cached, remove the
utm_contentparameter, right-click on the request, and select “Copy URL”. Open this URL in your browser and check that the
alert()is triggered when you load the page.
Remove your cache buster, re-add the
utm_contentparameter with your payload, and replay the request until the cache is poisoned for normal users. The lab will be solved when the victim user visits the poisoned home page
An attacker will need to poison the cache with a response that executes
alert(1) in the victim’s browser.