BIPI
BIPI

Web Cache Poisoning for Bug Bounty: Unkeyed Headers and DoS-to-RCE Pivots

Cybersecurity

Web cache poisoning leverages the gap between the cache key and the response. This piece covers unkeyed header discovery with Param Miner, the classic X-Forwarded-Host poisoning, cache deception, and the pivots that turn cached XSS into mass account takeover.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 26, 2023 · 10 min read

#cache-poisoning#bug-bounty#web-security#cdn#xss

Cache Keys and Cache Inputs

Caches hash a subset of the request to produce a key. If a header influences the response but is not part of the key, an attacker can poison the cached response and serve it to everyone with the same key.

Finding Unkeyed Inputs

Burp's Param Miner brute forces headers and parameters, watching for response differences. X-Forwarded-Host, X-Host, X-Forwarded-Scheme, X-Original-URL, and X-Rewrite-URL are perennial winners.

Classic Host Header Poisoning

If the response embeds the Host or X-Forwarded-Host value, set it to attacker.com and watch the cached HTML link to attacker resources. When a victim hits the cache, they load JavaScript from your domain.

Cache Deception

Append a static-looking suffix like /profile.css to a dynamic endpoint. Some caches see .css and store the response. The next user requesting the same path reads a previous user's profile data.

Fat GET Poisoning

When a backend accepts parameters in both GET query and POST body, send them in the body of a GET. Some caches key on URL only, missing the body, while the origin uses the body. Poison and serve.

Vary Header Misuse

If Vary is set incorrectly, the cache merges responses across user agents or accept languages. A different cookie value can still resolve to the same cache entry.

Edge Side Includes and Surrogate Headers

Some CDNs honor Surrogate-Control and ESI directives in responses. If you can inject either, you may rewrite the cached response across the edge.

From Cache XSS to ATO

  1. Discover unkeyed header that reflects into HTML
  2. Poison the cache with a script tag pointing to your domain
  3. Wait for traffic to load your script with each visit
  4. Steal CSRF tokens and session indicators
  5. Pivot to account takeover at scale

DoS-to-RCE Pivots

Some cache poisoning lets you serve oversized or malformed responses that crash CDN nodes. Others can poison admin panel responses, leading to internal XSS that pivots to internal RCE through admin features.

Tooling

  • Param Miner for header discovery
  • Web Cache Vulnerability Scanner from PortSwigger Labs
  • Burp Collaborator for blind callback confirmation
  • Custom curl scripts to test cache behavior across edge nodes

Reporting Safely

Use cache-busting parameters in your PoC so you do not poison production for real users. Demonstrate the poisoning with a controlled key, then explain the unrestricted variant in prose.

Cache poisoning is one of the few bug classes where a single request affects many users. Triage understands that and pays accordingly.

Closing

The CDN is part of the application surface. The hunters who treat it as such, with Param Miner and patience, find bugs that escape every WAF and pentest.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.