How I managed to trigger a Stored-XSS in an online store with the help of Cache Poisoning

Updated: Feb 9

Hey everyone, Welcome to my first blog post, I hope you'll find it informative.

Today I will be writing about how I was able to trigger an sXSS with the help of web-cache poisoning attack.

Web cache poisoning is an advanced technique whereby an attacker exploits the behaviour of a web server and cache so that a harmful HTTP response is served to other users.

A poisoned web cache can potentially be a devastating means of distributing numerous different dangerous attacks, exploiting vulnerabilities such as JavaScript injection, open redirection, XSS (in my case) and so on.

I am new to Bug hunting so I like to participate in Responsible disclosures because there is less competition and a lot to learn.

I was testing an online store company lets say it started with content discovery did'nt find anything juicy in the primary domain, tried for subdomain enumeration and found a few interesting subdomains with the help of this code

> subfinder -d | httpx -title -status-code

The subdomain looked suspicious because it was only for the staffs of so I thought lets give it a try.

Then I did some subdomain discovery and found Admin login Panel.

I tried some SQLi Payloads but got no success. As there was no reCaptcha in the login page so I decided to check for No Rate Limiting and It was vulnerable

Then I started playing with the requests and I found adding an extra HOST header in the request was getting reflected in the response's source.

I read Tampering of Host header can lead to web cache poisoning attack and then further we can exploit it to XSS and more severe attacks, so I started looking for the right request where I apply this.

After some tries,

When I was trying to escape the external Host response's reflection I found that adding an arbitrary values in one of the cookie parameter was also getting reflected in the response, I tried injecting some command injection,sqli payloads but it was only a cookie pollution caused by improper validation in the backend .

Then I tried tampering parameter with some values as a POST request with some content and found that It got saved in the caching server and and the page was blank

I added some text "Hello" and gave the parameter different value opened the page and yes It was getting reflected.

Then again instead of Hello I tried adding these two javascripts one by one

javascript:alert(1) and <script>alert(1)</script>

but the payload did'nt get executed there was just the reflection of the text.

I was confused what's happening then I looked at the request and saw the header Accept: text/html so I thought maybe If a text along with script would work and tried


and guess what?

I was surprised how this worked I mean when I used only the payload that didnt get executed but with a string i was able to hit the payload.

Reported the vulnerability, and got a reply back from the team, So by this i was able to get my first Hall of Fame recognition in 2021.

I hope you find it useful, Thank you and happy hunting.

1,440 views0 comments

Recent Posts

See All
  • Facebook
  • Twitter

©2021 by CySek.