Merge pull request #7072 from projectdiscovery/cache-fixes

Added Cache Poisoning based Stored XSS Detection
2023-04-17 18:49:28 +05:30 · 2023-04-17 18:49:28 +05:30 · a56bf1823b
parent 67e3f0b8c9 851ce26033
commit a56bf1823b
2 changed files with 50 additions and 14 deletions
--- a/vulnerabilities/generic/cache-poisoning-xss.yaml
+++ b/vulnerabilities/generic/cache-poisoning-xss.yaml
@ -0,0 +1,36 @@
+id: cache-poisoning-xss
+
+info:
+  name: Cache Poisoning - Stored XSS
+  author: melbadry9,xelkomy,akincibor
+  severity: high
+  reference:
+    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
+    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
+  tags: cache,generic,xss
+
+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+  xss_payload: '"></script><script>alert(document.domain);</script>'
+
+requests:
+  - raw:
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
+        X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
+        X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
+
+      - |
+        GET /?{{cache_key}}=1 HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - contains(body_2, cache_header)
+          - contains(body_2, xss_payload)
+        condition: and
--- a/vulnerabilities/generic/cache-poisoning.yaml
+++ b/vulnerabilities/generic/cache-poisoning.yaml
@ -1,33 +1,33 @@
 id: cache-poisoning

 info:
-  name: Cache Poisoning
+  name: Cache Poisoning Detection
  author: melbadry9,xelkomy,akincibor,dogasantos
  severity: low
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
+    - https://portswigger.net/web-security/web-cache-poisoning
  tags: cache,generic

+variables:
+  cache_key: "{{to_lower(rand_base(6))}}"
+  cache_header: "{{to_lower(rand_base(6))}}"
+
 requests:
  - raw:
      - |
-        GET /?{{randstr}}=9 HTTP/1.1
-        X-Forwarded-Prefix: prefix.cache.interact.sh
-        X-Forwarded-Host: host.cache.interact.sh
-        X-Forwarded-For: for.cache.interact.sh
+        GET /?{{cache_key}}=9 HTTP/1.1
+        Host: {{Hostname}}
+        X-Forwarded-Prefix: {{cache_header}}.xfp
+        X-Forwarded-Host: {{cache_header}}.xfh
+        X-Forwarded-For: {{cache_header}}.xff

      - |
-        GET /?{{randstr}}=9 HTTP/1.1
+        GET /?{{cache_key}}=9 HTTP/1.1
+        Host: {{Hostname}}

-    req-condition: true
    matchers:
      - type: dsl
        dsl:
-          - 'contains(body_2, "cache.interact.sh")'
-
-    extractors:
-      - type: regex
-        part: response
-        regex:
-          - "(prefix|host|for).cache.interact.sh"
+          - 'contains(body_2, cache_header)'