Kali Linux

Web Cache Vulnerability Scanner : A Go-based CLI Tool For Testing Web Cache Poisoning

Web Cache Vulnerability Scanner (WCVS) is a fast and versatile CLI scanner for web cache poisoning developed by Hackmanit.

The scanner supports many different web cache poisoning techniques, includes a crawler to identify further URLs to test, and can adapt to a specific web cache for more efficient testing. It is highly customizable and can be easily integrated into existing CI/CD pipelines.

Features

  • Support for 9 web cache poisoning techniques:
    • Unkeyed header poisoning
    • Unkeyed parameter poisoning
    • Parameter cloaking
    • Fat GET
    • HTTP response splitting
    • HTTP request smuggling
    • HTTP header oversize (HHO)
    • HTTP meta character (HMC)
    • HTTP method override (HMO)
  • Analyzing a web cache before testing and adapting to it for more efficient testing
  • Generating a report in JSON format
  • Crawling websites for further URLs to scan
  • Routing traffic through a proxy (e.g., Burp Suite)
  • Limiting requests per second to bypass rate limiting

Installation

Prebuilt binaries of WCVS are provided on the releases page. These releases include 2 default wordlists, as well.

Option 2: Fetch Repository Using Go

The repository can be fetched using Go.

go1.17 and higher

go install -v github.com/Hackmanit/Web-Cache-Vulnerability-Scanner@latest

go1.16 and lower

go get -u https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner

Option 3: Docker

  • Clone repository or download the latest source code release
  • Build image (the wordlists folder will also be copied)

$ docker build .
Sending build context to Docker daemon 29.54MB

Step 1/10 : FROM golang:latest AS builder
—> 05c8f6d2538a
Step 2/10 : WORKDIR /go/src/app
—> Using cache
—> f591f24be8cf
Step 3/10 : COPY . .
—> 38b358dd3472
Step 4/10 : RUN go get -d -v ./…
—> Running in 41f53de436c5
….
Removing intermediate container 9e2e84d14ff3
—> 1668edcf6ee3
Successfully built 1668edcf6ee3

Run wcvs

$ docker run -it 1668edcf6ee3 /wcvs –help
https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner
version 1.0.0

Usage

WCVS is highly customizable using its flags. Many of the flags can either contain a value directly or the path to a file.

The only mandatory flag is -u/--url to provide the target URL which should be tested for web cache poisoning. The target URL can be provided in different formats,

WCVS needs two wordlists in order to test for the first 5 techniques – one wordlist with header names and one with parameter names. The wordlists can either be present in the same directory WCVS is executed from or specified using the --headerwordlist/-hw and --parameterwordlist/-pw flags.

Examples

wcvs -u 127.0.0.1
wcvs -u http://127.0.0.1
wcvs -u https://example.com
wcvs -u file:path/to/url_list
wcvs -u https://example.com -hw “file:/home/user/Documents/wordlist-header.txt”
wcvs -u https://example.com -pw “file:/home/user/Documents/wordlist-parameter.txt”
wcvs -u https://example.com -hw “file:/home/user/Documents/wordlist-header.txt” -pw “file:/home/user/Documents/wordlist-parameter.txt”

Specify Headers, Parameters, Cookies, and More

  • --setcookies/-sc specifies cookies which shall be added to the request
  • --setheaders/-sh specifies headers which shall be added to the request
  • --setparameters/-sp specifies parameters which shall be added to the request. While it is also possible to simply add them to the URL, it might be more useful in some cases to add them via this flag.
  • --post/-post changes the HTTP method from GET to POST
  • --setbody/-sb specifies the body which shall be added to the request
  • --contenttype/-ct specifies the value of the Content-Type header
  • --useragentchrome/-uac changes the User-Agent from WebCacheVulnerabilityScanner v{Version-Number} to Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36. While the same can be achieved with e.g. -sh "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ..., this flag provides a quicker way.

Examples

wcvs -u https://example.com -sc “PHPSESSID=123”
wcvs -u https://example.com -sc “file:/home/user/Documents/cookies.txt”
wcvs -u https://example.com -sh “Referer: localhost”
wcvs -u https://example.com -sh “file:/home/user/Documents/headers.txt”
wcvs -u https://example.com -sp “admin=true”
wcvs -u https://example.com -sp “file:/home/user/Documents/parameters.txt”
wcvs -u https://example.com -post -sb “admin=true”
wcvs -u https://example.com -post -sb “file:/home/user/Documents/body.txt”
wcvs -u https://example.com -post -sb “{}” -ct “application/json”
wcvs -u https://example.com -uac

Generate a JSON Report

A JSON report is generated and updated after each scanned URL if the flag --generatereport/-gr is set. The report is written, just like a log file, into the same directory WCVS is executed from. In order to change the directory for all output files use --generatepath/-gp. If HTML special chars shall be encoded in the report, use --escapejson/-ej.

Examples

wcvs -u https://example.com -gr
wcvs -u https://example.com -gr -ej
wcvs -u https://example.com -gr -gp /home/user/Documents
wcvs -u https://example.com -gr -gp /home/user/Documents -ej

Use a Proxy

To use a proxy, a CA certificate of the proxy in PEM format is needed. Burp Suite certificates are provided in DER format, for example. To convert them, the following command can be used: openssl x509 -inform DER -outform PEM -text -in cacert.der -out cacert.pem. The path to the certificate can be specified with --proxycertpath/-ppath. The default URL for the proxy is http://127.0.0.1:8080. In order to change it, use --proxyurl/-purl.

Examples

wcvs -u https://example.com -ppath /home/user/Documents/cacert.pem
wcvs -u https://example.com -ppath /home/user/Documents/cacert.pem -purl http://127.0.0.1:8081

Throttle or Accelerate

The number of maximum allowed requests per second can be set with --reqrate/-rr. By default, this number is unrestricted. Contrary, the number of requests per second can be increased potentially, if --threads/-t is used to increase the number of concurrent threads WCVS utilizes. The default value is 20.

Examples

wcvs -u https://example.com -rr 10
wcvs -u https://example.com -rr 1
wcvs -u https://example.com -rr 0.5
wcvs -u https://example.com -t 50

Further Flags

WCVS provides even more than the beforehand mentioned flags and options. --help/-h provides a list of each flag, its meaning, and how to use it.

Example

wcvs -h

R K

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

15 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

15 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

3 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

4 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago