webPromedium

Lab 183 — ArticleFlow — Stored XSS via Fat GET Cache Poisoning

hackadvisor

Task: Blogging platform with JSONP localization endpoint behind Nginx cache; Express.js accepts GET body params while Nginx keys cache on URL only. Solution: Fat GET cache poisoning — override callback parameter via request body to inject XSS payload into cached JSONP response, exfiltrate admin cookies via same-origin comments API.

$ ls tags/ techniques/

xss nginx express admin_bot cookie_exfiltration web_cache_poisoning cache_key_manipulation callback_injection jsonp fat_get

admin_bot_exploitationsame_origin_exfiltrationjsonp_callback_injectionfat_get_cache_poisoningcache_timing_race

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 181 — PostFlow — Stored XSS via Cache Poisoning— hackadvisor
[web][Pro]PublishWave — XSS via HTTP Cache Poisoning— hackadvisor
[web][Pro]Lab 375 — PageFlow — Web Cache Deception via Path Normalization— hackadvisor
[web][Pro]Lab 72 — WriteFlow — Stored XSS via WYSIWYG Editor Sanitizer Bypass— hackadvisor
[web][Pro]Lab 378 — PulseBoard — Cache Poisoning XSS via Next.js Header Misclassification— hackadvisor