Web Cache Poisoning

Last modified: 2023-06-11


Reflected XSS with Cache Poisoning

If the website reflects our arbitrary path in the result such as below.


# Output in the 404 page
Page not found: /xyz

We may try XSS as below.


If we use Burp Repeater to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.