Web Cache Poisoning
Last modified: 2023-06-11
If the website reflects our arbitrary path in the result such as below.
https://example.com/xyz # Output in the 404 page Page not found: /xyz
We may try XSS as below.
If we use Burp Repeater to send the request above, the URL won't be normalized so leads the reflected XSS. Then the cache will be poisoned. In this state, if you ask the victim to visit this URL, they will see this cached result. In other words, the reflected XSS is performed despite URL normalization in the victim's web browsers.