Cache Poisoning Case Studies Part 1 Foundational Attacks Beh...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://herish.me/blog/cache-poisoning-case-studies-part-1-foundational-attacks/
• Blog Title: Cache Poisoning Case Studies Part 1: Foundational Attacks Behind a $100K+ Vulnerability Class
• Suggested Section: Pentesting Web -> Cache Poisoning and Cache Deception

🎯 Content Summary

This post is Part 1 of a three-part series and focuses on foundational web cache poisoning attacks using real bug bounty case studies. It explains how reverse proxies, CDNs, and server-side caches can be tricked into storing poisoned responses and serving them to many users, turning simple misconfigurations into high-impact issues such as global redirects, stored XSS, and large-scale DoS.
The article first clarifies why caches exist (for static files, API responses, HTML ...

🔧 Technical Details

Header-based cache poisoning via unkeyed proxy headers (X-Forwarded-Host / X-Forwarded-Scheme)
If reverse proxies or origin applications trust headers like X-Forwarded-Host or X-Forwarded-Scheme to build redirect URLs, canonical links, or Open Graph tags, but these headers are not in the cache key, a single request can poison the cache for all users. The attacker sends a request such as:

GET /path HTTP/1.1
Host: victim.com
X-Forwarded-Host: evil.com

The application uses evil.com in the response (e.g., in a Location: header or HTML), and the cache stores this response. Subsequent requests without X-Forwarded-Host still receive the poisoned redirect or content. This applies to global redirects, JS asset redirects, Open Graph fields, and more, effectively turning a per-request header into a stored, shared payload.

Co...

🤖 Agent Actions

Summary:

• Expanded the Cache Poisoning section with eight real-world case studies, detailing the exact headers, payloads, and workflows (X-Forwarded-Host/Scheme, Content-Type + PURGE, method overrides, Host casing, etc.) so readers can reproduce the poisoning primitives and understand their impact.
• Added concrete command and script snippets that show how to weaponize PURGE endpoints, automate repeated poisoning attempts, and validate cache persistence across hosts/assets.
• Documented safe-testing practices (cache busters) and multi-domain blast-radius validation, and cited the source blog in the References section.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://herish.me/blog/cache-poisoning-case-studies-part-1-foundational-attacks/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Cache Poisoning and Cache Deception".

Repository Maintenance:

• MD Files Formatting: 913 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0