Web Cache Poisoning

00 — Overview

Web Cache Poisoning

Force a cache to serve your malicious response to every user who requests a page. By injecting unkeyed headers into a cacheable request, you can deliver XSS or redirects to thousands of victims.

Intermediate·45 min·5 tasks

// By the end of this module

→Explain cache keys and why unkeyed headers create a poisoning surface

→Detect cached responses using Age, X-Cache, and CF-Cache-Status headers

→Find reflected unkeyed headers using canary values and confirm cacheability

→Execute a cache poisoning attack that delivers stored XSS to all visitors

→Apply Vary headers, strip unneeded proxy headers, and use Cache-Control: no-store

// Prerequisites

Complete these before starting this module for the best experience.

Foundation · Beginner

How the Web Works

45 min

→

Injection · Beginner

Cross-Site Scripting (XSS)

35 min

→

Web Security · Intermediate

Host Header Attacks

40 min

→