Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Web cache poisoning via a fat GET request

PRACTITIONER

This lab is vulnerable to web cache poisoning. It accepts GET requests that have a body, but does not include the body in the cache key. A user regularly visits this site's home page using Chrome.

To solve the lab, poison the cache with a response that executes alert(1) in the victim's browser.

ACCESS THE LAB

Solution

  1. Observe that every page imports the script /js/geolocate.js, executing the callback function setCountryCookie(). Send the request GET /js/geolocate.js?callback=setCountryCookie to Burp Repeater.

  2. Notice that you can control the name of the function that is called in the response by passing in a duplicate callback parameter via the request body. Also notice that the cache key is still derived from the original callback parameter in the request line:

    GET /js/geolocate.js?callback=setCountryCookie … callback=arbitraryFunction HTTP/1.1 200 OK X-Cache-Key: /js/geolocate.js?callback=setCountryCookie … arbitraryFunction({"country" : "United Kingdom"})
  3. Send the request again, but this time pass in alert(1) as the callback function. Check that you can successfully poison the cache.
  4. Remove any cache busters and re-poison the cache. The lab will solve when the victim user visits any page containing this resource import URL.

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find web cache poisoning vulnerabilities using Burp Suite

Try for free