id: cache-poisoning info: name: Cache Poisoning author: melbadry9,xelkomy,akincibor,dogasantos severity: low reference: - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning - https://portswigger.net/research/practical-web-cache-poisoning tags: cache,generic requests: - raw: - | GET /?{{randstr}}=9 HTTP/1.1 X-Forwarded-Prefix: prefix.cache.example.com X-Forwarded-Host: host.cache.example.com X-Forwarded-For: for.cache.example.com - | GET /?{{randstr}}=9 HTTP/1.1 req-condition: true matchers: - type: dsl dsl: - 'contains(body_2, "cache.example.com")' extractors: - type: regex part: response regex: - "(prefix|host|for).cache.example.com"