Proposed fixes to cache-poisoning-fuzz.yaml based on issue #5070
What I believe was wrong before:
- The author of this template used the {{uniq}} in three places in the template, however, all three values are different with each pair of requests. This means that the cache buster query changes between request 1 and request 2, causing cache poisoning detection to not work properly.
Implemented fixes:
- Changed the cache buster query to be the same for request 1 and request 2, allowing for proper cache poisoning detection
- Used the consistent {{randstr}} preprocessor as the value for headers, since {{uniq}} would not be detected in the matchers as it changes every call
- Used the same User-Agent for each request, as having user agents change between request 1 and request 2 could cause a cache to miss
- Added a matching condition for {{randstr}} to exist in both responses to avoid false positives
- Added reference to portswigger's web cache poisoning lesson
Side notes:
- The tag "fuzz" for some reason caused errors on my nuclei instance, but "fuzzing" would not. However, I left it alone in case it is just a local issue
- Template tested on and properly detected web cache poisoning for https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-targeted-using-an-unknown-header
Ritik Chaddha
Ayden Colby
Dwi Siswanto