W-CACHE-POISONImpact

Web Cache Poisoning

Inject a payload via an unkeyed header (X-Forwarded-Host, X-Original-URL) — cache serves the poisoned response to everyone.

§ Where this technique fits

W-CACHE-POISON is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 1 on average.

§ Dossiers chaining this technique

Web cache poisoning → XSS → admin session hijack
An unkeyed header reflects into the response. Poison the cache with a payload, wait for an admin to fetch the cached page, exfiltrate their session.
step 1 / 6

§ What commonly comes next

01
Reflected XSS
W-XSS-REFLECTED · Impact
seen 1×
02
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Web cache poisoning → XSS → admin session hijack

§ What commonly comes next