nuclei-templates/vulnerabilities/generic/cache-poisoning.yaml

id: cache-poisoning

info:
  name: Cache Poisoning
  author: melbadry9,xelkomy,akincibor,dogasantos
  severity: low
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
  tags: cache,generic

requests:
  - raw:
      - |
        GET /?{{randstr}}=9 HTTP/1.1
        X-Forwarded-Prefix: prefix.cache.interact.sh
        X-Forwarded-Host: host.cache.interact.sh
        X-Forwarded-For: for.cache.interact.sh

      - |
        GET /?{{randstr}}=9 HTTP/1.1

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.interact.sh")'

    extractors:
      - type: regex
        part: response
        regex:
          - "(prefix|host|for).cache.interact.sh"
Update cache-poisoning.yaml 2021-04-02 13:49:50 +00:00			`id: cache-poisoning`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`info:`
			`name: Cache Poisoning`
Update cache-poisoning.yaml (#4418) * Update cache-poisoning.yaml * added identifier to headers Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-05-17 09:01:33 +00:00			`author: melbadry9,xelkomy,akincibor,dogasantos`
Update cache-poisoning.yaml 2022-03-17 11:19:43 +00:00			`severity: low`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning`
			`- https://portswigger.net/research/practical-web-cache-poisoning`
Update cache-poisoning.yaml 2021-08-11 07:37:27 +00:00			`tags: cache,generic`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`requests:`
			`- raw:`
			`- \|`
Update cache-poisoning.yaml 2022-03-17 11:19:43 +00:00			`GET /?{{randstr}}=9 HTTP/1.1`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`X-Forwarded-Prefix: prefix.cache.interact.sh`
			`X-Forwarded-Host: host.cache.interact.sh`
			`X-Forwarded-For: for.cache.interact.sh`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`- \|`
Update cache-poisoning.yaml 2022-03-17 11:19:43 +00:00			`GET /?{{randstr}}=9 HTTP/1.1`
Create cache-poisoning.yaml 2021-04-02 13:14:09 +00:00
			`req-condition: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`- 'contains(body_2, "cache.interact.sh")'`
Update cache-poisoning.yaml (#4418) * Update cache-poisoning.yaml * added identifier to headers Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-05-17 09:01:33 +00:00
			`extractors:`
			`- type: regex`
			`part: response`
			`regex:`
Fixed possible FPs in open redirect templates (#4544) * Fixed possible FPs in open redirect templates We have replaced example.com with interact.sh since few domains redirect to example.com, which results in FP results. * updated example domain Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-06-06 10:40:15 +00:00			`- "(prefix\|host\|for).cache.interact.sh"`