Cache Poisoning Tester
Probe your website for web cache poisoning risk in seconds. We send live, safe header-injection tests against your target and flag unkeyed-input reflection, missing Vary coverage, and HTTP response-splitting indicators.
Advanced cache poisoning detection
Built to mirror real-world unkeyed-input attack patterns used against CDNs, reverse proxies, and application caches.
Unkeyed header probing
Tests 13 commonly unkeyed headers including X-Forwarded-Host, X-Original-URL, and Forwarded for reflection.
Cache fingerprinting
Detects Cache-Control, Age, X-Cache, CF-Cache-Status, Surrogate-Control and other caching-layer signals.
Response splitting checks
Sends a CRLF-style payload to check whether your app or proxy is vulnerable to HTTP response splitting.
Vary header analysis
Checks whether your Vary header actually accounts for the headers your origin trusts.
SSRF-guarded engine
Blocks private, loopback, link-local and metadata IP ranges before any test request is sent.
Plain-English scoring
Every finding is graded AβF with severity badges so non-security teams understand the risk instantly.
How the test works
Four simple steps, all completed automatically the moment you click "Run Cache Test."
Baseline fetch
We request your page normally and fingerprint any cache-related headers in the response.
Header injection
We resend the request once per selected header, each carrying a unique tracking marker.
Reflection check
Each response body and header block is scanned for the marker to detect unkeyed reflection.
Risk scoring
Findings are combined with cache presence to produce a severity-ranked, letter-graded report.
Understanding Web Cache Poisoning, OWASP Risk, and Cross-User Defacement
Web cache poisoning sits in an uncomfortable blind spot for many teams. A request looks completely ordinary, the response code is a clean 200, and nothing in a standard monitoring dashboard lights up red β yet a single crafted request can quietly corrupt what an entire cache layer serves to every subsequent visitor. The core issue is almost always the same: a header, cookie, or query parameter that the origin server reads and uses to build a response, but that the cache in front of it never includes in its cache key. OWASP catalogs this pattern because the consequences scale so quickly. One attacker request becomes the version of the page everyone else receives, until the cache entry expires or is purged.
The most common entry point is the family of forwarding headers β X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL, and similar variants β that reverse proxies and load balancers add for legitimate routing purposes. When an application trusts one of these values to build a canonical link, a redirect target, or an asset URL, and a caching layer in front of it treats the response as cacheable without factoring that header into its key, an attacker can submit one request with a malicious host value and have the poisoned output served to thousands of real users who never sent that header themselves. This is sometimes called cross-user defacement, since the visible symptom is often broken links, injected scripts, or unexpected redirects appearing for visitors who did nothing wrong.
HTTP response splitting is a closely related but distinct vulnerability worth testing for in the same pass. It occurs when unsanitized input reaches a point where it can inject carriage-return/line-feed sequences into the raw HTTP response, effectively allowing an attacker to forge additional headers or even a second response body. Combined with an upstream cache, response splitting can be used to smuggle a fabricated response into the cache itself, compounding the impact far beyond a single request. Because the underlying flaw usually lives in how an application or proxy assembles headers from untrusted input, it tends to surface in older middleware, custom routing logic, or any code path that concatenates header values directly into output.
Testing for these issues responsibly starts with understanding what your cache actually keys on. Tools like this one send a baseline request to fingerprint cache-indicating headers β Cache-Control, Age, X-Cache, CF-Cache-Status, Vary, and similar signals β and then resend the request with a uniquely marked value in each commonly unkeyed header. If that marker shows up reflected back in the body or headers of a response that also shows caching indicators, you have a strong signal that the header is both trusted by the origin and excluded from the cache key, the exact combination that enables poisoning. A parallel check sends a CRLF-style payload through a query parameter to see whether it gets reflected as a forged header, which points toward response-splitting risk.
None of this replaces a full security review, manual testing by an experienced assessor, or a proper threat model for high-value applications. What automated testing like this is good for is catching the low-hanging, high-impact misconfigurations early and often β ideally as part of a regular cycle alongside your other vulnerability checks, rather than a one-time audit. Cache configurations drift as infrastructure changes, CDNs get added, and new headers get introduced by load balancers, so a finding that was clean six months ago is not a guarantee today. Treat a passing grade as a snapshot, not a certificate, and always test only domains you own or are explicitly authorized to assess.
Frequently asked questions
Web cache poisoning is an attack where a malicious input is stored by a caching layer and served to other visitors, turning a single crafted request into a vulnerability that affects many users at once.
It sends a baseline request plus a series of probes containing unique markers in commonly unkeyed headers, then checks whether those markers are reflected in the response alongside caching indicators.
Only test domains you own or have explicit permission to assess. The tool blocks requests to private, loopback and internal addresses, but responsible, authorized use remains your responsibility.
An unkeyed header is a request header that a cache reads and may influence the response, but does not include as part of its cache key, which can let an attacker poison a cached entry for everyone.
No single scanner can guarantee complete safety. This tool checks common cache poisoning patterns, but a full security review and manual testing are recommended for critical applications.
Secure your caching layer today
Cache poisoning can silently affect every visitor to your site. Run a free test now, then explore our full security toolkit and 100+ free AI-powered tools.