We found a webpage :
We were provided with a Exploit server where we could have our own url and craft responses so we could attack the webpage :
We intercepted the request when accessing the page using burpsuite and was able to see that we get the X-Cache header as a response with the value miss .
We sent the request to repeater and sent the GET request multiple times and was able to see that the X-Cache value was returned as hit :
We just sent a GET request to the / and was able to see this response :
We added another HOST header and sent the request multiple time so it will get cached in the server. We could see that our malicous host gets reflected in the page as it loads a javascript file from that host :
We edited our Exploit server request as needed and sent the request multiple times and was able to exploit it :
- Since our malicious host was cached on the server side, when the victim was visiting the browser, the server got the javascript file from our host and executed the malicious javascript command.