Cache Poisoning Vulnerable Application

This application demonstrates various cache poisoning vulnerabilities on Cloudflare Pages.

⚠️ Active Vulnerabilities

☠️ File Upload Cache Poisoning

/file-upload - Upload videos, PDFs, images, etc. to POISON cache

POST /poison-upload - Upload any file, cache for 1 week

GET /poisoned-download/:cacheKey - Download cached files

GET /poisoned-content/:cacheKey - View file info

Supports: Videos, PDFs, images, audio, documents, archives

Key: Files cached by Cloudflare, NOT in URL parameters!

📤 Basic Upload Endpoint

POST /upload - Simple upload, content cached but not persisted

Example: curl -X POST -d "poisoned content" /upload

🔒 Secure Endpoint

/health - Properly configured with no-cache headers

Testing Instructions

  1. Use curl or browser to test endpoints
  2. Add malicious headers to poison cache
  3. Check if poisoned responses are served to other users
  4. Note: Cloudflare cache TTLs are deliberately long

API Token Configuration

Account ID: 83444abe350a24f5296bfb9e398e2ec5

Token: cfat_CvRqxR4x6AeVVecLfvFp2BGleKE7WkFihXRCZVzA90a368e8

Warning: This is a deliberately vulnerable application for educational purposes only.