Skip to main content

Module cache_poison

Module cache_poison 

Source
Expand description

HTTP cache poisoning payloads: X-Forwarded-Host/Scheme/Port, X-Original-URL, X-Host (Akamai), Forwarded (RFC 7239), X-Backend-Host, loopback-trust headers, web cache deception paths (5 extensions × null-byte / semicolon / traversal forms), cache key normalization variants, Vary header confusion, status code poisoning, HTTP/2 :authority split. HTTP cache poisoning payload library.

Cache poisoning is the class of attack where the attacker manipulates a cache (CDN edge, proxy, origin reverse-cache) into storing a response for a benign request with attacker-controlled content. Future victims requesting the same cache key receive the poisoned response.

Three layers:

  1. Unkeyed input poisoning. The cache key consists of Host
    • path + some headers. Inputs the cache DOESN’T key on (X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL, Forwarded, etc.) reach the origin and influence the response body, but the cache stores under the BENIGN key.
  2. Cache key normalization. The cache normalizes path/query differently from the origin. /admin/ (cache) and /admin// (origin) hit different origin endpoints but share one cache entry.
  3. Web cache deception (Omer Gil, BH 2017). /profile/avatar.css is served by the dynamic profile endpoint but cached under the .css extension rule → attacker fetches a victim’s private content from the public cache.

This module produces the WIRE PAYLOADS for each poisoning shape. The operator wraps them in real requests against the target’s CDN edge and verifies via a second-fetch from a clean origin.

Coverage:

  • X-Forwarded-Host / X-Forwarded-Scheme / X-Forwarded-Port
  • X-Original-URL / X-Rewrite-URL (IIS / Symfony / Akamai)
  • X-Forwarded-For with internal IP (origin trust)
  • X-Host (Akamai)
  • Forwarded (RFC 7239)
  • X-Backend-Host
  • X-Real-IP
  • X-HTTP-Method-Override (cache-key on body, action on method)
  • Web cache deception (5 extensions × N path-traversal forms)
  • Status code poisoning (404 cached as 200)
  • Vary header confusion (cache stores N variants based on a header the origin doesn’t actually vary on)
  • HTTP/2 header injection that translates to H1 cache-key

Functions§

all_cache_poison_payloads
One-shot fan-out — every cache poisoning primitive for one (attacker_host, target_path). Returns ~20 variants.
cache_key_normalization_variants
Cache key normalization disagreement payloads. Each is a URL shape where the cache and origin disagree on whether two requests share a key.
forwarded_rfc7239
RFC 7239 Forwarded header. Some CDNs trust this even when they don’t trust the X-Forwarded-* family.
h2_authority_split
HTTP/2 pseudo-header injection. The :authority H2 pseudo can be set independently from Host. Some H2-to-H1 translators key the cache on Host but route the request via :authority.
loopback_trust_header
X-Real-IP / X-Forwarded-For with private/loopback IP — some applications grant elevated trust to loopback. Cache key isn’t affected.
status_code_poison_header
Status code poisoning. Cache stores response with 200-status header but body containing 404 content (so victim sees “not found” presented as successful). Operator triggers via attacker header that flips the origin’s branch.
vary_header_confusion
Vary header confusion. Origin sets Vary: User-Agent but returns the same body regardless of UA. Cache stores N copies, one per attacker UA — each can carry distinct poison.
web_cache_deception_paths
Web cache deception path: append a cacheable extension to a dynamic endpoint. /profile is dynamic, /profile/avatar.css is the deception payload — cache fetches and stores under .css, origin serves the profile dynamically.
x_backend_host
X-Backend-Host: an origin trust trick for setups where the LB has different rules for “backend” host headers.
x_forwarded_host
Build the X-Forwarded-Host poisoning header. The attacker host is what the origin sees; the cache stores under the legitimate Host so victims get the poisoned response.
x_forwarded_port
Build X-Forwarded-Port. Origin may reflect the port in generated URLs (canonical link tags, redirects). Cache stores under the standard port.
x_forwarded_scheme
Build X-Forwarded-Scheme to flip the origin’s view from HTTPS to HTTP (or vice versa). Often the origin redirects based on scheme — attacker-influenced redirects get cached.
x_host
Akamai’s flavor: X-Host.
x_original_url
Build X-Original-URL / X-Rewrite-URL. IIS, Symfony, Akamai honor these as request-target overrides while the cache keys under the actual wire path.