id: cache-poisoning-fuzz

info:
  name: Cache Poison Fuzzing
  author: dwisiswant0,ColbyJack1134
  severity: info
  reference:
    - https://youst.in/posts/cache-poisoning-at-scale/
    - https://portswigger.net/web-security/web-cache-poisoning
  tags: fuzz,cache

requests:
  - raw:
      - |
        GET /?{{md5(headers)}}=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
        {{headers}}: {{randstr}}.tld

      - |
        GET /?{{md5(headers)}}=1 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0

    attack: clusterbomb
    payloads:
      headers: helpers/wordlists/headers.txt

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_1, "{{randstr}}")'
          - 'contains(body_2, "{{randstr}}")'
        condition: and