[AI] Web Cache Poisoning Vulnerability Scanner

Web servers and content delivery networks utilize caching mechanisms to improve performance by storing copies of frequently accessed resources. These systems are widely used by organizations of all sizes to reduce latency and server load for end-users. Administrators deploy caching layers like Varnish, Nginx, or cloud-based CDNs to handle high traffic volumes efficiently. The primary purpose is to serve content faster without regenerating it for every single request. This technology is fundamental to the modern internet infrastructure and user experience. However, if not configured correctly, the mechanism meant to speed up delivery can become a vector for attacks.

Cache Poisoning occurs when an attacker manipulates the cache to store a malicious response that is subsequently served to other users. This vulnerability arises when the application uses unkeyed inputs, such as HTTP headers, to generate the response but does not include them in the cache key. Attackers can force the cache to save a harmful version of a page, such as one containing a cross-site scripting payload. Once cached, this malicious content is delivered to legitimate users who request the same resource. The integrity of the application is compromised as the cache serves tainted data. This attack vector can persist until the cache entry expires or is manually purged.

The scanner targets the web server by sending requests with manipulated HTTP headers like Host, X-Forwarded-Host, and X-Forwarded-For. It identifies if the server reflects these headers in the response body while simultaneously caching the output. Specifically, the script injects a unique marker into these headers and checks if the marker appears in the returned content. It then verifies if the server returns a HIT status in the X-Cache header for subsequent requests. This confirms that the manipulated response has been stored in the cache and is being served to others. The vulnerable endpoint is any URL where the cache configuration allows unkeyed header reflection.

Exploitation of this vulnerability can lead to the widespread distribution of malicious content to unsuspecting users. Attackers can execute Cross-Site Scripting attacks by injecting malicious scripts that are cached and served to victims. It can result in a Denial of Service if the attacker forces the cache to store error pages or empty responses. Users might be redirected to malicious websites if the Host header is successfully poisoned. Sensitive information could be intercepted or modified depending on the nature of the poisoned content. The reputation of the affected organization may suffer due to the delivery of compromised resources.