.png)
2 days ago
15 BOOK THIS SPACE FOR AD
ARTICLE AD
One of the easiest yet highly overlooked vulnerabilities in bug bounty hunting is cache poisoning. Recently, I found a simple misconfiguration that allowed me to poison a website’s cache and deliver attacker-controlled content to all users! 💥 This led to a quick $500 bounty, and in this guide, I’ll show you how I did it step by step.
While testing a large website, I noticed it was using CDN-based caching (like Cloudflare, Akamai, or Fastly). These caching mechanisms store responses to serve them faster. However, if the cache incorrectly processes headers, attackers can manipulate responses to affect all users. 🚨
To check for caching behavior, I sent a simple curl request:
curl -I https://target.com/pageResponse:
HTTP/1.1 200 OKCache-Control: public, max-age=3600
X-Cache: HIT
🚀 Key Findings:
Cache-Control: public → The response can be cached.
X-Cache: HIT → The page is cached and being served from cache.
Many caching servers don’t correctly validate unkeyed headers (headers that don’t change the cache key). One common vulnerability is Host header poisoning.
I sent a request with a malicious Host header:
GET /page HTTP/1.1Host: evil.com
X-Forwarded-Host: evil.com
If the server processes this header incorrectly, it caches the modified response for all users! 😈
To check if my payload worked, I made a request as a normal user:
curl -I https://target.com/pageAnd the response came back with my injected Host header!
HTTP/1.1 200 OKCache-Control: public, max-age=3600
Content: evil.com attack successful!
X-Cache: HIT
🚨 Impact: ✅ Attackers can serve malicious content (phishing pages, fake login forms, etc.).
✅ Stored XSS can be injected, affecting thousands of users.
✅ Critical resources like login or checkout pages can be poisoned.
Once I confirmed the bug, I immediately reported it via the bug bounty platform. Since it could be used for phishing or spreading malware, the security team acknowledged the risk and paid a quick $500 bounty! 💰🔥
1️⃣ Always check for cacheable responses (Cache-Control: public).
2️⃣ Test different unkeyed headers (e.g., X-Forwarded-Host, X-Original-URL).
3️⃣ Look for CDN misconfigurations (Fastly, Cloudflare, Akamai).
4️⃣ Report responsibly—cache poisoning can be dangerous!
🛡️ Subscribe for Cybersecurity Videos: youtube.com/@theindiannetwork
💌 Need Ethical Hacking Consultation? Contact: theindiannetwork@protonmail.com
Bengali (Bangladesh) · 
English (United States) ·