Listen to this Post
Caching servers store copies of web pages to reduce load and improve speed. However, misconfigurations can lead to caching malicious responses, resulting in unexpected redirects, broken pages, or even Cross-Site Scripting (XSS).
The Bug: Cache Poisoning via `X-Forwarded-Scheme`
By sending a request with the `X-Forwarded-Scheme` header on Ruby on Rails apps, a 301 redirect loop was triggered, causing the response to be cached. This could lead to:
✅ Denial of Service (DoS) by taking down static files.
How It Was Found
- Burp Suite Intruder was used with a wordlist of headers (Header Wordlist).
- Cacheable responses were identified by checking CDN behavior.
- Attack verification was done by revisiting the URL in a browser.
⚠ Disclaimer: Always use a cache buster (e.g., ?cache_buster=random) to avoid unintentionally breaking the site.
You Should Know: Practical Cache Poisoning Techniques
1. Identifying Cacheable Endpoints
Use `curl` to check caching headers:
curl -I http://target.com/static/js/app.js
Look for headers like:
– `Cache-Control: public, max-age=3600`
– `X-Cache: HIT`
2. Fuzzing Headers with Burp Suite
- Load a header wordlist into Burp Intruder.
- Target headers like:
– `X-Forwarded-Host`
– `X-Forwarded-Scheme`
– `X-Original-URL`
3. Exploiting Cache Poisoning for XSS
If a site reflects input in a cached response:
[http]
GET /search?q= HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
[/http]
If cached, all visitors may see the XSS payload.
4. Using Param Miner for Automation
The Burp Extension “Param Miner” automates header fuzzing:
java -jar burpsuite.jar --extensions "ParamMiner"
5. Cache Busting Techniques
To avoid affecting real users:
curl "http://target.com/poisoned_path?cache_buster=$(date +%s)"
6. Testing with Web Cache Deception
Force caching of sensitive pages:
[http]
GET /account/profile HTTP/1.1
Host: target.com
X-Original-URL: /static/css/style.css
[/http]
What Undercode Say
Cache poisoning remains a critical threat in web security. Misconfigured CDNs and reverse proxies can turn minor flaws into widespread attacks. Key takeaways:
– Always test caching behavior on static files and API endpoints.
– Monitor for unusual headers (X-Forwarded-*, X-Original-URL).
– Automate detection with tools like Burp Suite and Param Miner.
– Use cache busters during testing to prevent collateral damage.
For further reading:
Expected Output:
A cached response leading to a redirect loop or XSS payload execution.
References:
Reported By: Cametome006 Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
