cache-poisoning-doslisted

# Cache Poisoning to DoS Testing This skill helps you test for cache poisoning vulnerabilities where error responses from web servers get cached by upstream cache servers (CDNs, reverse proxies) and served to legitimate users, causing denial of service. ## ⚠️ Authorization Required Only perform these tests on systems you own or have explicit written authorization to test. Unauthorized testing is illegal and unethical. ## Understanding the Attack Cache poisoning to DoS works by: 1. Sending a request that the cache server considers valid and caches 2. The web server behind the cache responds with an error (400, 403, 404, 414, etc.) 3. The cache stores this error response 4. Legitimate users receive the cached error instead of the actual content ## Attack Vectors ### 1. HTTP Header Oversize (HHO) Send a request with a header larger than the web server supports but smaller than the cache server supports. **Test approach:** - Start with a normal request - Gradually increase header size - Watch for 400 Bad Request responses that get cached **Example:** ```bash curl -H "X-Oversize-Header:$(python3 -c 'print("A"*10000)')" https://target.com/ ``` **What to look for:** - 400 Bad Request from web server - Cache headers indicating the response was cached (e.g., `CF-Cache-Status: HIT`) ### 2. HTTP Meta Characters (HMC) Send headers containing special characters that the web server rejects but the cache accepts. **Test approach:** - Try headers with `\n`, `\r`, `:`, or other