Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3363] No subject

Browse source
This commit is contained in:
CPol 2022-08-12 17:01:26 +00:00 committed by gitbook-bot
parent b44bf643b0
commit 3323cf0c63
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pentesting-web/cache-deception.md
View file

@ -42,7 +42,8 @@ Usually when a response was **stored in the cache** there will be a **header ind
### Discovery: Caching 400 code
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code** , you know it's vulnerable (and you could even perform a DoS).\
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).\
A bad configured header could be just `\:` as a header.\
_Note that sometimes these kind of status code aren't cached so this test will be useless._
### Discovery: Identify and evaluate unkeyed inputs
@ -214,6 +215,7 @@ Other things to test:
* _www.example.com/profile.php/test.js_
* _www.example.com/profile.php/../test.js_
* _www.example.com/profile.php/%2e%2e/test.js_
* _Use less known extensions such as_ `.avif`
Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
In the example it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ (**with the users sensitive information**) is going to be returned and the cache server is going to save the result.\
@ -229,6 +231,7 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
* [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
* [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)
* [https://youst.in/posts/cache-poisoning-at-scale/](https://youst.in/posts/cache-poisoning-at-scale/)
* [https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
<img src="../.gitbook/assets/image (307).png" alt="" data-size="original">