Reflected XSS via Cache Poisoning

During a recent penetration test of a web application, we discovered a Cross-Site Scripting (XSS) via caching vunlerabillity. This article explores the discovery, exploitation, and mitigation of this issue to help developers and security professionals better understand and protect against similar vulnerabilities.

The Role of Caching

Caching is a performance enhancement technique used to store copies of web pages or resources to reduce server load and improve load times for users. However, if not implemented securely, it can introduce significant security risks. In this case, the web application dynamically incorporated arbitrary GET parameters into the Document Object Model (DOM) to load various resources. When a proxy tool is used to inject malicious JavaScript code into the URL, it initially results in a self-XSS, which affects only the attacker.

However, the caching mechanism can store this self-XSS payload, converting it into a persistent XSS attack. When other users access the cached version of the page, they are served the malicious script, thus extending the attack’s impact.

In this example, an image tag with an onerror event is injected into the URL parameter. When the server processes this request, the parameter is reflected in the HTML response and cached. Consequently, subsequent users requesting the cached page will execute the malicious JavaScript.