# Web Cache Poisoning

Web cache poisoning is an advanced technique whereby an attacker exploits the behavior of a web server and cache so that a harmful HTTP response is served to other users.

### PortSwigger's Methodology to Identify Web Cache Poisoning

> Fortunately, you can automate the process of identifying unkeyed inputs by adding the [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) extension to Burp from the BApp store. To use Param Miner, you simply right-click on a request that you want to investigate and click "Guess headers". Param Miner then runs in the background, sending requests containing different inputs from its extensive, built-in list of headers. If a request containing one of its injected inputs has an effect on the response, Param Miner logs this in Burp, either in the "Issues" pane if you are using [Burp Suite Professional](https://portswigger.net/burp/pro), or in the "Output" tab of the extension ("Extensions" > "Installed" > "Param Miner" > "Output") if you are using [Burp Suite Community Edition](https://portswigger.net/burp/communitydownload).

### References

{% embed url="<https://portswigger.net/web-security/web-cache-poisoning>" %}