TL;DR

  • Cache poisoning targets shared cache entries.
  • Look for unkeyed headers or params that affect the response.
  • Verify that poisoned content is served to other users.

What It Is

Web cache poisoning happens when user-controlled inputs influence a cached response but are not included in the cache key. The poisoned response is then served to other users.

Common Vectors

  • Unkeyed headers (X-Forwarded-Host, Host, X-Original-URL)
  • Unkeyed query params
  • Path normalization inconsistencies

Testing Flow

  1. Identify a cacheable endpoint.
  2. Find inputs that change the response but not the cache key.
  3. Poison the cache with a malicious value.
  4. Confirm the poisoned response is served to other clients.

Notes

  • Use cache busters during exploration.
  • Ensure tests are within scope to avoid impacting real users.