Performing Web Cache Poisoning Attack

When to Use

• During authorized penetration tests when the application uses CDN or reverse proxy caching (Cloudflare, Akamai, Varnish, Nginx)
• When assessing web applications for cache-based vulnerabilities that could affect all users
• For testing whether unkeyed HTTP headers are reflected in cached responses
• When evaluating cache key behavior and cache deception vulnerabilities
• During security assessments of applications with aggressive caching policies

Prerequisites

• Authorization: Written penetration testing agreement explicitly covering cache poisoning testing
• Burp Suite Professional: With Param Miner extension for automated unkeyed header discovery
• curl: For manual cache testing with precise header control
• Target knowledge: Understanding of the caching layer (CDN provider, cache headers)
• Cache buster: Unique query parameter to isolate test requests from other users
• Caution: Cache poisoning affects all users; test with cache-busting parameters first