In-depth solution to PortSwigger's "Combining web cache poisoning vulnerabilities" lab from the Web Security Academy.
👀 Check out playlist https://www.youtube.com/playlist?list=PLGb2cDlBWRUUvoGqcCF1xe86AaRXGSMT5 for all my solutions to the Web Cache Poisoning labs from PortSwigger.
Try it yourself:
https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-combining-vulnerabilities
Timestamps:
00:00 - Start
00:40 - Identify a cache oracle
01:10 - Add a cache buster
01:39 - Find unkeyed inputs
02:35 - Explore X-Forwarded-Host input potential
06:29 - Identify the DOM XSS Source & Sink
07:25 - Inject a harmful response into the cache with the X-Forwarded-Host header
10:32 - How can we redirect all users to the Spanish homepage?
12:23 - Explore X-Original-URL input potential
15:37 - Figure out how the language setting works
16:05 - How can we get the /setlang/es? redirect cached?
18:22 - Inject a harmful response into the cache via X-Original-URL
19:28 - Chain the two vulnerabilities together
