I gonna share my experience of a bug “web cache poisoning” in bug bounty as usually, I was pentesting on private sites and I saw there my paraminer shows an unkeyed URL with secret URL, So before exploiting part I wanna share my thoughts about the bug called cache poisoning :
Web cache poisoning:
This is a technique by which we can poison the whole web page by sending a malicious request with unkeyed (that cache ignores) headers and URLs that leads to defacement, XSS, ssrf and other causes web cache poising is different from web cache poisoning the common thing among them is cache.
So I was pentesting on a private site saw there an API like
“https://redacted.net/api/” [it shows all website URLs with path]
I send this request to the repeater and added a header “x-Forwarded-For: example.com” I was shocked the URL which was used in the website [/api endpoint] got replaced by mine URL example.com [due to x-forward header], So I open ngrok and copied the URL and added in x-forwarded header and boom I got an incoming request in my terminal with some private IP of the company but that was not high criteria bug so I tried further I added cache buster query to the end of URL like “https://redacted.net/api?mohit=1234” and with the help of curl command it looks like this:
it was not working after a lot of trying and researching I added another header “X-Url-Scheme: no https” after that I tried so many times cache: miss but I continuously send a request and finally, it shows cache: hit means my cache got stored then I visited “https://redacted.net/api?mohit=1234” I saw my incoming request in my terminal I tried from my phone on another wifi connection I still get incoming connectin means I successfully position the web anyone can visit the webpage “https://redacted.net/api? mohit=1234” I grab his IP 😛 still, I was not satisfied I tried to do XSS but failed because of WAF (Web application firewall). 🙁
So I tried a different method I created a web page on my friend website, I created 10 raws of JSON and hide a XSS payload in that rows then with the help of web cache poisoning i tried to fetch that webpage and it gotta hit in few attempts and when I visited the url it shows popup whoo I go XSS…means ay user that visit on my URL got popup of “you are hacked run away” another one was defacement but defacement is shit that’s why I leave it and reported XSS, SSRF and web cache poisoning 🙁