From 5eb1e78503df3882740cad12505e454be88940b7 Mon Sep 17 00:00:00 2001 From: Mohamed Elbadry Date: Fri, 2 Apr 2021 15:14:09 +0200 Subject: [PATCH 1/3] Create cache-poisoning.yaml --- vulnerabilities/generic/cache-poisoning.yaml | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 vulnerabilities/generic/cache-poisoning.yaml diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml new file mode 100644 index 0000000000..14c75394a9 --- /dev/null +++ b/vulnerabilities/generic/cache-poisoning.yaml @@ -0,0 +1,24 @@ +id: cache-poisoning + +info: + name: Cache Poisoning + author: melbadry9 & xelkomy + severity: low + reference: https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning + +requests: + - raw: + - | + GET /?mel=9 HTTP/1.1 + X-Forwarded-Prefix: cache.melbadry9.com + X-Forwarded-Host: cache.melbadry9.com + X-Forwarded-For: cache.melbadry9.com + + - | + GET /?mel=9 HTTP/1.1 + + req-condition: true + matchers: + - type: dsl + dsl: + - 'contains(body_2, "cache.melbadry9.com") == true' From 3daa03c7992462b91613029dfcdec8f1b64ec716 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 2 Apr 2021 19:19:50 +0530 Subject: [PATCH 2/3] Update cache-poisoning.yaml --- vulnerabilities/generic/cache-poisoning.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml index 14c75394a9..043a9fb37d 100644 --- a/vulnerabilities/generic/cache-poisoning.yaml +++ b/vulnerabilities/generic/cache-poisoning.yaml @@ -1,4 +1,4 @@ -id: cache-poisoning +id: cache-poisoning info: name: Cache Poisoning @@ -10,9 +10,9 @@ requests: - raw: - | GET /?mel=9 HTTP/1.1 - X-Forwarded-Prefix: cache.melbadry9.com - X-Forwarded-Host: cache.melbadry9.com - X-Forwarded-For: cache.melbadry9.com + X-Forwarded-Prefix: cache.example.com + X-Forwarded-Host: cache.example.com + X-Forwarded-For: cache.example.com - | GET /?mel=9 HTTP/1.1 @@ -21,4 +21,4 @@ requests: matchers: - type: dsl dsl: - - 'contains(body_2, "cache.melbadry9.com") == true' + - 'contains(body_2, "cache.example.com")' From 40fb0066c395bca939614ee6156b3243ca4eb74d Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Fri, 2 Apr 2021 21:38:35 +0530 Subject: [PATCH 3/3] more reference --- vulnerabilities/generic/cache-poisoning.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml index 043a9fb37d..82886086dc 100644 --- a/vulnerabilities/generic/cache-poisoning.yaml +++ b/vulnerabilities/generic/cache-poisoning.yaml @@ -3,8 +3,11 @@ id: cache-poisoning info: name: Cache Poisoning author: melbadry9 & xelkomy - severity: low - reference: https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning + severity: info + reference: | + - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning + - https://portswigger.net/research/practical-web-cache-poisoning + tags: cache requests: - raw: