Updated: Feb 9
Hey everyone, Welcome to my first blog post, I hope you'll find it informative.
Web cache poisoning is an advanced technique whereby an attacker exploits the behaviour of a web server and cache so that a harmful HTTP response is served to other users.
I am new to Bug hunting so I like to participate in Responsible disclosures because there is less competition and a lot to learn.
I was testing an online store company lets say it onlinestore.com started with content discovery did'nt find anything juicy in the primary domain, tried for subdomain enumeration and found a few interesting subdomains with the help of this code
> subfinder -d onlinestore.com | httpx -title -status-code
The subdomain looked suspicious because it was only for the staffs of onlinestore.com so I thought lets give it a try.
Then I did some subdomain discovery and found Admin login Panel.
I tried some SQLi Payloads but got no success. As there was no reCaptcha in the login page so I decided to check for No Rate Limiting and It was vulnerable
Then I started playing with the requests and I found adding an extra HOST header in the request was getting reflected in the response's source.
I read Tampering of Host header can lead to web cache poisoning attack and then further we can exploit it to XSS and more severe attacks, so I started looking for the right request where I apply this.
After some tries,
When I was trying to escape the external Host response's reflection I found that adding an arbitrary values in one of the cookie parameter was also getting reflected in the response, I tried injecting some command injection,sqli payloads but it was only a cookie pollution caused by improper validation in the backend .
Then I tried tampering parameter with some values as a POST request with some content and found that It got saved in the caching server and and the page was blank
I added some text "Hello" and gave the parameter different value opened the page and yes It was getting reflected.
but the payload did'nt get executed there was just the reflection of the text.
I was confused what's happening then I looked at the request and saw the header Accept: text/html so I thought maybe If a text along with script would work and tried
and guess what?
I was surprised how this worked I mean when I used only the payload that didnt get executed but with a string i was able to hit the payload.
Reported the vulnerability, and got a reply back from the team, So by this i was able to get my first Hall of Fame recognition in 2021.
I hope you find it useful, Thank you and happy hunting.