nuclei-templates/http/vulnerabilities/generic/cache-poisoning.yaml

id: cache-poisoning

info:
  name: Cache Poisoning Detection
  author: melbadry9,xelkomy,akincibor,dogasantos
  severity: low
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
    - https://portswigger.net/web-security/web-cache-poisoning
  tags: cache,generic
  metadata:
    max-request: 2

variables:
  cache_key: "{{to_lower(rand_base(6))}}"
  cache_header: "{{to_lower(rand_base(6))}}"

http:
  - raw:
      - |
        GET /?{{cache_key}}=9 HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Prefix: {{cache_header}}.xfp
        X-Forwarded-Host: {{cache_header}}.xfh
        X-Forwarded-For: {{cache_header}}.xff

      - |
        GET /?{{cache_key}}=9 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, cache_header)'
Update cache-poisoning.yaml 2021-04-02 13:49:50 +00:00			`id: cache-poisoning`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`info:`
misc update to cache-poisoning 2023-04-17 09:28:43 +00:00			`name: Cache Poisoning Detection`
Update cache-poisoning.yaml (#4418) * Update cache-poisoning.yaml * added identifier to headers Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-05-17 09:01:33 +00:00			`author: melbadry9,xelkomy,akincibor,dogasantos`
Update cache-poisoning.yaml 2022-03-17 11:19:43 +00:00			`severity: low`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning`
			`- https://portswigger.net/research/practical-web-cache-poisoning`
misc updates 2023-04-17 10:07:36 +00:00			`- https://portswigger.net/web-security/web-cache-poisoning`
Update cache-poisoning.yaml 2021-08-11 07:37:27 +00:00			`tags: cache,generic`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 2`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
misc updates 2023-04-17 10:07:36 +00:00			`variables:`
			`cache_key: "{{to_lower(rand_base(6))}}"`
			`cache_header: "{{to_lower(rand_base(6))}}"`

Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00			`- raw:`
			`- \|`
misc updates 2023-04-17 10:07:36 +00:00			`GET /?{{cache_key}}=9 HTTP/1.1`
misc update to cache-poisoning 2023-04-17 09:28:43 +00:00			`Host: {{Hostname}}`
misc updates 2023-04-17 10:07:36 +00:00			`X-Forwarded-Prefix: {{cache_header}}.xfp`
			`X-Forwarded-Host: {{cache_header}}.xfh`
			`X-Forwarded-For: {{cache_header}}.xff`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`- \|`
misc updates 2023-04-17 10:07:36 +00:00			`GET /?{{cache_key}}=9 HTTP/1.1`
misc update to cache-poisoning 2023-04-17 09:28:43 +00:00			`Host: {{Hostname}}`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
misc updates 2023-04-17 10:07:36 +00:00			`- 'contains(body_2, cache_header)'`