What is the difference between web cache poisoning and web cache deception?
\: as a header.
Note that sometimes these kind of status code aren't cached so this test will be useless.X-Forwarded-For to indicate the client to load script from there:X-Cache in the response could be very useful as it may have the value miss when the request wasn't cached and the value hit when it is cached.
The header Cache-Control is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: Cache-Control: public, max-age=1800
Another interesting header is Vary . This header is often used to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed. Therefore, if the user knows the User-Agent of the victim he is targeting, he can poison the cache for the users using that specific User-Agent.
One more header related to the cache is Age. It defines the times in seconds the object has been in the proxy cache.X-Forwarded-For is being reflected in the response unsanitized>
You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:/en?region=uk not to /enX-Forwarded-Host to a domain controlled by you and X-Forwarded-Scheme to http.If the server is forwarding all the HTTP requests to HTTPS and using the header X-Forwarded-Scheme as domain name for the redirect. You can control where the pagepointed by the redirect.VaryheaderX-Host header is being used as domain name to load a JS resource but the Vary header in the response is indicating User-Agent . Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:wcvs -u example.com/#/../?r=javascript:alert(1) was sent to the backend as /#/../?r=javascript:alert(1) and the cache key did't have the payload inside of it, only host, path and query.x-http-method-override. So it was possible to send the header x-http-method-override: HEAD and poison the cache into returning an empty response body. It could also support the method PURGE.x-forwarded-scheme value and uses it as the scheme of the request.x-forwarded-scheme: http header would result into a 301 redirect to the same location which will cause a DoS over that resource as in this example:X-forwarded-host and redirect the user to that host, making possible to load javascripts files from the attacker server:size parameter in the request but if you sent also the siz%65 parameter with a bad value, the cache key was constructed with the well written size param, but the backend used the value inside the URL encoded param.size parameter caused it to be ignored by the cache, but used by the backend. Giving the parameter a value of 0 would result in a cacheable 400 Bad Request.\ would cause a cacheable 400 Bad Request error. This was one of the most commonly identified patterns throughout my testing..css, .js, .png etc are usually configured to be saved in the cache. Therefore, if you access www.example.com/profile.php/nonexistent.js the cache will probably store the response because it sees the .js extension. But, if the application is replaying with the sensitive user contents stored in www.example.com/profile.php, you can steal those contents from other users.
Other things to test:.aviftext/html content-type instead of a text/css mime type (which is the expected for a .css file).