Web Cache Poisoning Lab

Welcome to the Cache Poisoning Lab. In this lab you will have the opportunity to experiment with some of the vulnerabilities presented in the brilliant paper Practical Web Cache Poisoning by James Kettle.

I'll give a few pointers in the various labs, but not too much as James has given a good walk through of exploiting each issue in his post.

To prevent people interfering with each other as they run their tests, everyone gets their own host to work on. For this session, your host will be https://299a2a60.poison.digi.ninja:2443, but this will change whenever you refresh this page.

Basic

A basic poison, affecting all visitors to the page.

Go to lab

Selective Poisoning

Poison a specific user agent. To test this, use two different browsers or a user agent switcher, to see how the poisoning affects one and not the other.

Go to lab

Redirects

Use a bug in internal redirection to redirect all Chrome users who access the page to one you control.

From my testing, I was not able to get PHP and Varnish to work together to cache a 301 or 302 redirect, so this exercise uses a meta redirect.

Go to exercise

Timing

All the other exercises give the Age header so you know how long you have to wait for the current cache entry to expire so you can launch your attack. This exercise hides the value so you have to derive it for yourself. The value is between 10 and 30 seconds and you do not need to DoS the server to work it out.

Go to exercise

Routing

This server hosts both this site and my main "digi.ninja" site, it also hosts a "secret" site. Use the broken proxy to redirect users to my main site or to access the secret site.

Go to exercise


Lab created by Robin Wood - DigiNinja