From 1adc897f3f27326248f0177cc37731adb341221f Mon Sep 17 00:00:00 2001
From: Ayden Colby <aydencol@hotmail.com>
Date: Sun, 2 Oct 2022 19:35:04 -0400
Subject: [PATCH 1/3] Update cache-poisoning-fuzz.yaml

Proposed fixes to cache-poisoning-fuzz.yaml based on issue #5070

What I believe was wrong before:
 - The author of this template used the {{uniq}} in three places in the template, however, all three values are different with each pair of requests. This means that the cache buster query changes between request 1 and request 2, causing cache poisoning detection to not work properly.

Implemented fixes:
 - Changed the cache buster query to be the same for request 1 and request 2, allowing for proper cache poisoning detection
 - Used the consistent {{randstr}} preprocessor as the value for headers, since {{uniq}} would not be detected in the matchers as it changes every call
 - Used the same User-Agent for each request, as having user agents change between request 1 and request 2 could cause a cache to miss
 - Added a matching condition for {{randstr}} to exist in both responses to avoid false positives
 - Added reference to portswigger's web cache poisoning lesson

Side notes:
 - The tag "fuzz" for some reason caused errors on my nuclei instance, but "fuzzing" would not. However, I left it alone in case it is just a local issue
 - Template tested on and properly detected web cache poisoning for https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws/lab-web-cache-poisoning-targeted-using-an-unknown-header
---
 fuzzing/cache-poisoning-fuzz.yaml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/fuzzing/cache-poisoning-fuzz.yaml b/fuzzing/cache-poisoning-fuzz.yaml
index dd3e14d2a39..e765d404042 100644
--- a/fuzzing/cache-poisoning-fuzz.yaml
+++ b/fuzzing/cache-poisoning-fuzz.yaml
@@ -6,29 +6,35 @@ info:
   severity: info
   reference:
     - https://youst.in/posts/cache-poisoning-at-scale/
-  tags: cache,fuzz
+    - https://portswigger.net/web-security/web-cache-poisoning
+  tags: fuzz,cache
 
 requests:
   - raw:
       - |
-        GET /?{{uniq}}=1 HTTP/1.1
+        GET /?{{md5(headers)}}=1 HTTP/1.1
         Host: {{Hostname}}
-        {{headers}}: {{uniq}}.tld
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
+        {{headers}}: {{randstr}}
 
       - |
-        GET /?{{uniq}}=1 HTTP/1.1
+        GET /?{{md5(headers)}}=1 HTTP/1.1
         Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
 
     attack: clusterbomb
     payloads:
-      uniq:
-        - "{{md5(rand_text_numeric(32))}}"
       headers: helpers/wordlists/headers.txt
 
     stop-at-first-match: true
     req-condition: true
 
+    matchers-condition: and
+
     matchers:
       - type: dsl
         dsl:
-          - 'contains(body_2, "{{uniq}}")'
+          - 'contains(body_1, "{{randstr}}")'
+      - type: dsl
+        dsl:
+          - 'contains(body_2, "{{randstr}}")'

From 70d9e4e175b0a8d123c57060706e0ba2678e568c Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Wed, 1 Feb 2023 14:23:01 +0530
Subject: [PATCH 2/3] updated matcher part

---
 fuzzing/cache-poisoning-fuzz.yaml | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/fuzzing/cache-poisoning-fuzz.yaml b/fuzzing/cache-poisoning-fuzz.yaml
index e765d404042..5114481413c 100644
--- a/fuzzing/cache-poisoning-fuzz.yaml
+++ b/fuzzing/cache-poisoning-fuzz.yaml
@@ -2,7 +2,7 @@ id: cache-poisoning-fuzz
 
 info:
   name: Cache Poison Fuzzing
-  author: dwisiswant0
+  author: dwisiswant0,ColbyJack1134
   severity: info
   reference:
     - https://youst.in/posts/cache-poisoning-at-scale/
@@ -27,14 +27,9 @@ requests:
       headers: helpers/wordlists/headers.txt
 
     stop-at-first-match: true
-    req-condition: true
-
-    matchers-condition: and
-
     matchers:
       - type: dsl
         dsl:
           - 'contains(body_1, "{{randstr}}")'
-      - type: dsl
-        dsl:
           - 'contains(body_2, "{{randstr}}")'
+        condition: and

From 44a0a5c09b7580b7323cd8bfaea17422f488e558 Mon Sep 17 00:00:00 2001
From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com>
Date: Fri, 10 Feb 2023 14:21:09 +0530
Subject: [PATCH 3/3] updated header

---
 fuzzing/cache-poisoning-fuzz.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fuzzing/cache-poisoning-fuzz.yaml b/fuzzing/cache-poisoning-fuzz.yaml
index 5114481413c..9c2f54b3be7 100644
--- a/fuzzing/cache-poisoning-fuzz.yaml
+++ b/fuzzing/cache-poisoning-fuzz.yaml
@@ -15,7 +15,7 @@ requests:
         GET /?{{md5(headers)}}=1 HTTP/1.1
         Host: {{Hostname}}
         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
-        {{headers}}: {{randstr}}
+        {{headers}}: {{randstr}}.tld
 
       - |
         GET /?{{md5(headers)}}=1 HTTP/1.1