Expand description
HTTP cache poisoning payloads: X-Forwarded-Host/Scheme/Port, X-Original-URL, X-Host (Akamai), Forwarded (RFC 7239), X-Backend-Host, loopback-trust headers, web cache deception paths (5 extensions × null-byte / semicolon / traversal forms), cache key normalization variants, Vary header confusion, status code poisoning, HTTP/2 :authority split. HTTP cache poisoning payload library.
Cache poisoning is the class of attack where the attacker manipulates a cache (CDN edge, proxy, origin reverse-cache) into storing a response for a benign request with attacker-controlled content. Future victims requesting the same cache key receive the poisoned response.
Three layers:
- Unkeyed input poisoning. The cache key consists of
Host- path + some headers. Inputs the cache DOESN’T key on
(
X-Forwarded-Host,X-Forwarded-Scheme,X-Original-URL,Forwarded, etc.) reach the origin and influence the response body, but the cache stores under the BENIGN key.
- path + some headers. Inputs the cache DOESN’T key on
(
- Cache key normalization. The cache normalizes path/query
differently from the origin.
/admin/(cache) and/admin//(origin) hit different origin endpoints but share one cache entry. - Web cache deception (Omer Gil, BH 2017).
/profile/avatar.cssis served by the dynamicprofileendpoint but cached under the.cssextension rule → attacker fetches a victim’s private content from the public cache.
This module produces the WIRE PAYLOADS for each poisoning shape. The operator wraps them in real requests against the target’s CDN edge and verifies via a second-fetch from a clean origin.
Coverage:
- X-Forwarded-Host / X-Forwarded-Scheme / X-Forwarded-Port
- X-Original-URL / X-Rewrite-URL (IIS / Symfony / Akamai)
- X-Forwarded-For with internal IP (origin trust)
- X-Host (Akamai)
- Forwarded (RFC 7239)
- X-Backend-Host
- X-Real-IP
- X-HTTP-Method-Override (cache-key on body, action on method)
- Web cache deception (5 extensions × N path-traversal forms)
- Status code poisoning (404 cached as 200)
- Vary header confusion (cache stores N variants based on a header the origin doesn’t actually vary on)
- HTTP/2 header injection that translates to H1 cache-key
Functions§
- all_
cache_ poison_ payloads - One-shot fan-out — every cache poisoning primitive for one (attacker_host, target_path). Returns ~20 variants.
- cache_
key_ normalization_ variants - Cache key normalization disagreement payloads. Each is a URL shape where the cache and origin disagree on whether two requests share a key.
- forwarded_
rfc7239 - RFC 7239
Forwardedheader. Some CDNs trust this even when they don’t trust the X-Forwarded-* family. - h2_
authority_ split - HTTP/2 pseudo-header injection. The
:authorityH2 pseudo can be set independently fromHost. Some H2-to-H1 translators key the cache onHostbut route the request via:authority. - loopback_
trust_ header - X-Real-IP / X-Forwarded-For with private/loopback IP — some applications grant elevated trust to loopback. Cache key isn’t affected.
- status_
code_ poison_ header - Status code poisoning. Cache stores response with 200-status header but body containing 404 content (so victim sees “not found” presented as successful). Operator triggers via attacker header that flips the origin’s branch.
- vary_
header_ confusion - Vary header confusion. Origin sets
Vary: User-Agentbut returns the same body regardless of UA. Cache stores N copies, one per attacker UA — each can carry distinct poison. - web_
cache_ deception_ paths - Web cache deception path: append a cacheable extension to a
dynamic endpoint.
/profileis dynamic,/profile/avatar.cssis the deception payload — cache fetches and stores under .css, origin serves the profile dynamically. - x_
backend_ host - X-Backend-Host: an origin trust trick for setups where the LB has different rules for “backend” host headers.
- x_
forwarded_ host - Build the
X-Forwarded-Hostpoisoning header. The attacker host is what the origin sees; the cache stores under the legitimate Host so victims get the poisoned response. - x_
forwarded_ port - Build
X-Forwarded-Port. Origin may reflect the port in generated URLs (canonical link tags, redirects). Cache stores under the standard port. - x_
forwarded_ scheme - Build
X-Forwarded-Schemeto flip the origin’s view from HTTPS to HTTP (or vice versa). Often the origin redirects based on scheme — attacker-influenced redirects get cached. - x_host
- Akamai’s flavor:
X-Host. - x_
original_ url - Build
X-Original-URL/X-Rewrite-URL. IIS, Symfony, Akamai honor these as request-target overrides while the cache keys under the actual wire path.