nuclei-templates/http/vulnerabilities/generic/cache-poisoning.yaml

33 lines
857 B
YAML

id: cache-poisoning
info:
name: Cache Poisoning Detection
author: melbadry9,xelkomy,akincibor,dogasantos
severity: low
reference:
- https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
- https://portswigger.net/research/practical-web-cache-poisoning
- https://portswigger.net/web-security/web-cache-poisoning
tags: cache,generic
variables:
cache_key: "{{to_lower(rand_base(6))}}"
cache_header: "{{to_lower(rand_base(6))}}"
http:
- raw:
- |
GET /?{{cache_key}}=9 HTTP/1.1
Host: {{Hostname}}
X-Forwarded-Prefix: {{cache_header}}.xfp
X-Forwarded-Host: {{cache_header}}.xfh
X-Forwarded-For: {{cache_header}}.xff
- |
GET /?{{cache_key}}=9 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body_2, cache_header)'