Cache Poisoning
Check if the server is caching requests. You can tell by looking the headers and looking for the words HIT OR DYNAMIC.
Cloudflare caches content based on MIME type only. Akamai acceppts headers
Before starting to test web cache vulnerabilities , you need to make sure that every request has a different cache key
Cache Buster
Technique used to force the cache server to load the most recent version of a response from web server
Vary Header
Vary header is a response header tells our that a particular header or headers from the request used to make the cache key
Trigger Cache
- /profile.css
- /profile/nonexistent.css
- /profile?nonexistent
- /profile/x.jpeg?nonexistent
- /profile\x.jpeg?nonexistent
- /profile/.js
- /profile/;.js
- Add
\:header
Stored XSS
Find an endpoint that reflects content to page (cookies, parameter, headers..) and store it by poisoning the cache
FAT Cache
Sometimes it gets cached
GET /path/to/place?param=content
...HEADERS...
param=content_changed
Next.js
Send x-middleware-prefetch: 1 to poison a page with empty data - CVE-2023-46298
Send Rsc: 1
Path Transversal
Can I use ../ OR ..%2F OR %2E%2E%2F etc ?!
List of cachable extensions
7z
csv
gif
midi
png
tif
zip
avi
doc
gz
mkv
ppt
tiff
zst
avif
docx
ico
mp3
pptx
ttf
apk
dmg
iso
mp4
ps
webm
bin
ejs
jar
ogg
rar
webp
bmp
eot
jpg
otf
svg
woff
bz2
eps
jpeg
pdf
svgz
woff2
class
exe
js
pict
swf
xls
css
flac
mid
pls
tar
xlsx