How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning

Updated: Apr 22



Hey everyone, Welcome to my first blog post, I hope you'll find it informative.

Today I will be writing about how I was able to trigger an sXSS with the help of web-cache poisoning attack.

Web cache poisoning is an advanced technique whereby an attacker exploits the behaviour of a web server and cache so that a harmful HTTP response is served to other users.

A poisoned web cache can potentially be a devastating means of distributing numerous different dangerous attacks, exploiting vulnerabilities such as JavaScript injection, open redirection, XSS (in my case) and so on.






I am new to Bug hunting so I like to participate in Responsible disclosures because there is less competition and a lot to learn.


I was testing an online store company lets say it onlinestore.com started with content discovery did'nt find anything juicy in the primary domain, tried for subdomain enumeration and found a few interesting subdomains with the help of this code



> subfinder -d onlinestore.com | httpx -title -status-code


The subdomain looked suspicious because it was only for the staffs of onlinestore.com so I thought lets give it a try.

Then I did some subdomain discovery and found Admin login Panel.


I tried some SQLi Payloads but got no success. As there was no reCaptcha in the login page so I decided to check for No Rate Limiting and It was vulnerable


Then I started playing with the requests and I found adding an extra HOST header in the request was getting reflected in the response's source.


I read Tampering of Host header can lead to web cache poisoning attack and then further we can exploit it to XSS and more severe attacks, so I started looking for the right request where I apply this.



After some tries,

When I was trying to escape the external Host response's reflection I found that adding an arbitrary values in one of the cookie parameter was also getting reflected in the response, I tried injecting some command injection,sqli payloads but it was only a cookie pollution caused by improper validation in the backend .


Then I tried tampering parameter with some values as a POST request with some content and found that It got saved in the caching server and and the page was blank

I added some text "Hello" and gave the parameter different value opened the page and yes It was getting reflected.

Then again instead of Hello I tried adding these two javascripts one by one



javascript:alert(1) and <script>alert(1)</script>

but the payload did'nt get executed there was just the reflection of the text.


I was confused what's happening then I looked at the request and saw the header Accept: text/html so I thought maybe If a text along with script would work and tried


Hello<script>alert(document.cookie)</script>

and guess what?


I was surprised how this worked I mean when I used only the payload that didnt get executed but with a string i was able to hit the payload.


Reported the vulnerability, and got a reply back from the team, So by this i was able to get my first Hall of Fame recognition in 2021.




I hope you find it useful, Thank you and happy hunting.









1,744 views0 comments

Recent Posts

See All