{"id":37097054,"url":"https://github.com/ayuxsec/cachex","last_synced_at":"2026-01-14T11:56:18.933Z","repository":{"id":329036415,"uuid":"1117527595","full_name":"ayuxsec/cachex","owner":"ayuxsec","description":"A high-accuracy, behavioral cache poisoning scanner for modern Web APIs ","archived":false,"fork":false,"pushed_at":"2025-12-20T13:46:21.000Z","size":9076,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-20T13:58:13.942Z","etag":null,"topics":["bugbounty","cache-poisoning","hacking","security-tools"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ayuxsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-16T12:45:46.000Z","updated_at":"2025-12-20T13:46:25.000Z","dependencies_parsed_at":"2025-12-20T14:01:32.662Z","dependency_job_id":null,"html_url":"https://github.com/ayuxsec/cachex","commit_stats":null,"previous_names":["ayuxsec/cachex"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/ayuxsec/cachex","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayuxsec%2Fcachex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayuxsec%2Fcachex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayuxsec%2Fcachex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayuxsec%2Fcachex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ayuxsec","download_url":"https://codeload.github.com/ayuxsec/cachex/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ayuxsec%2Fcachex/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28419272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:47:48.104Z","status":"ssl_error","status_checked_at":"2026-01-14T10:46:19.031Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","cache-poisoning","hacking","security-tools"],"created_at":"2026-01-14T11:56:18.201Z","updated_at":"2026-01-14T11:56:18.925Z","avatar_url":"https://github.com/ayuxsec.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003e\r\n \u003cimg src=\"images/cachex-logo.png\" alt=\"cachex\" width=\"100px\"\u003e\r\n \u003cbr\u003e\r\n\u003c/h1\u003e\r\n\r\n\u003ch3 align=\"center\"\u003eA high-accuracy, behavioral cache poisoning scanner for modern Web APIs\u003c/h3\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\n \u003cimg src=\"https://img.shields.io/badge/cacheX-blueviolet?style=flat-square\"\u003e\r\n \u003cimg src=\"https://img.shields.io/github/go-mod/go-version/ayuxsec/cachex?style=flat-square\"\u003e\r\n \u003cimg src=\"https://img.shields.io/github/license/ayuxsec/cachex?style=flat-square\"\u003e\r\n\u003c/p\u003e\r\n\r\n\r\n## ๐ŸŒŸ Why CacheX?\r\n\r\nMost cache poisoning scanners only check:\r\n\r\n* whether a response changes with certain headers\r\n* or whether cache-related headers exist\r\n\r\nThis produces **tons of false positives** and rarely confirms a real exploit.\r\n\r\n**CacheX is different.**\r\n\r\nIt performs **behavioral diffing**, **multi-threaded poisoning**, and **persistence verification**, confirming only real, weaponizable cache poisoning.\r\n\r\n[![demo](https://asciinema.org/a/0t6ga94iTdGmMuCP99KQsAZDs.svg)](https://asciinema.org/a/0t6ga94iTdGmMuCP99KQsAZDs)\r\n\r\n## ๐Ÿ”ฅ Features\r\n\r\n* โšก **High-speed multi-threaded scanning**\r\n* ๐ŸŽฏ **Zero-FP design with behavioral diffing**\r\n* ๐Ÿ” **Real-time cache poisoning attempts**\r\n* ๐Ÿงช **Persistence confirmation for true vulnerabilities**\r\n* ๐Ÿ” **Single and multi-header scan modes**\r\n* ๐Ÿงฉ **YAML-based payload configuration**\r\n* ๐Ÿ“ค **JSON or pretty output formats**\r\n* ๐Ÿ“ **Optional file-based export**\r\n* ๐Ÿท **Tentative vs confirmed vuln tagging**\r\n\r\n## ๐Ÿ”ง Installation\r\n\r\n```bash\r\ngo install github.com/ayuxsec/cachex/cmd/cachex@latest\r\n```\r\n\r\nOr build manually:\r\n\r\n```bash\r\ngit clone --depth=1 https://github.com/ayuxsec/cachex\r\ncd cachex\r\ngo build -o cachex \"cmd/cachex/main.go\"\r\n./cachex -h\r\n```\r\n\r\n## ๐Ÿš€ Usage\r\n\r\n### โ–ถ๏ธ Scan a single URL\r\n\r\n```bash\r\ncachex -u https://example.com\r\n```\r\n\r\n### โ–ถ๏ธ Scan multiple targets\r\n\r\n```bash\r\ncachex -l urls.txt\r\n```\r\n\r\n### โ–ถ๏ธ Scan URLs via pipeline\r\n\r\n```bash\r\necho \"https://example.com\" | cachex\r\n```\r\n\r\nor:\r\n\r\n```bash\r\ncat urls.txt | cachex\r\n```\r\n\r\n---\r\n\r\n## ๐Ÿ“Œ All CLI Flags\r\n\r\n| Category | Flag | Description |\r\n| ----------------- | ----------------- | --------------------------- |\r\n| Input | `-u, --url` | URL to scan |\r\n| | `-l, --list` | File with list of URLs |\r\n| Concurrency | `-t, --threads` | Number of scanning threads |\r\n| | `-m, --scan-mode` | `single` or `multi` |\r\n| HTTP Client | `--timeout` | Total request timeout |\r\n| | `--proxy` | Proxy URL |\r\n| Persistence Check | `--no-chk-prst` | Disable persistence checker |\r\n| | `--prst-requests` | Poisoning requests |\r\n| | `--prst-threads` | Threads for poisoning |\r\n| Output | `-o, --output` | Output file |\r\n| | `-j, --json` | JSON output |\r\n| Payloads | `--pcf` | Custom payload config file |\r\n\r\n\r\n## ๐Ÿ’ก Example\r\n\r\n```bash\r\ncachex -l targets.txt -t 50 --pcf payloads.yaml --json -o results.json\r\n```\r\n\r\n## โš™๏ธ Configuration\r\n\r\nCacheX automatically loads:\r\n\r\n```\r\n~/.config/cachex/config.yaml\r\n~/.config/cachex/payloads.yaml\r\n```\r\n\r\nYou can configure:\r\n\r\n* Payload headers\r\n* Default request headers\r\n* Timeouts \u0026 concurrency\r\n* Logging mode\r\n* Proxy settings\r\n* Persistence checker behavior\r\n\r\n## ๐Ÿ“ Output Formats\r\n\r\n### Pretty Output\r\n\r\n```\r\n[vuln] [https://target.com] [Location Poisoning] [header: X-Forwarded-Host: evil.com] [poc: https://target.com?cache=XYZ]\r\n```\r\n\r\n### JSON Output\r\n\r\n```json\r\n{\r\n \"URL\": \"https://target.com/\",\r\n \"IsVulnerable\": true,\r\n \"IsResponseManipulable\": true,\r\n \"ManipulationType\": \"ChangedBody\",\r\n \"RequestHeaders\": {\r\n \"Accept\": \"*/*\",\r\n \"User-Agent\": \"Mozilla/5.0\"\r\n },\r\n \"PayloadHeaders\": {\r\n \"X-Forwarded-Host\": \"evil.com\"\r\n },\r\n \"OriginalResponse\": {\r\n \"StatusCode\": 200,\r\n \"Headers\": {\r\n \"...\": \"...\"\r\n },\r\n \"Body\": \"...\",\r\n \"Location\": \"\"\r\n },\r\n \"ModifiedResponse\": {\r\n \"StatusCode\": 200,\r\n \"Headers\": {\r\n \"...\": \"...\"\r\n },\r\n \"Body\": \"...\",\r\n \"Location\": \"\"\r\n },\r\n \"PersistenceCheckResult\": {\r\n \"IsPersistent\": true,\r\n \"PoCLink\": \"https://target.example.com/?cache=XYZ\",\r\n \"FinalResponse\": {\r\n \"StatusCode\": 200,\r\n \"Headers\": {\r\n \"...\": \"...\"\r\n },\r\n \"Body\": \"...\",\r\n \"Location\": \"\"\r\n }\r\n }\r\n}\r\n```\r\n\r\n## ๐ŸŽ› Scan Modes\r\n\r\n* `single`: precise, tests each header independently\r\n* `multi`: fast, tests all payload headers together\r\n\r\n## ๐Ÿงฉ Payload Headers\r\n\r\nDefined in:\r\n\r\n```\r\n~/.config/cachex/payloads.yaml\r\n```\r\n\r\nExample:\r\n\r\n```yaml\r\npayload_headers:\r\n X-Forwarded-Host: evil.com\r\n X-Forwarded-For: 127.0.0.1\r\n X-Original-URL: /evilpath\r\n X-Client-IP: 127.0.0.1\r\n```\r\n\r\n## ๐Ÿ“ Configuration File Example (`config.yaml`)\r\n\r\n```yaml\r\nscan_mode: single\r\nthreads: 25\r\n\r\nrequest_headers:\r\n Accept: '*/*'\r\n User-Agent: Mozilla/5.0 (...)\r\n\r\nclient:\r\n dial_timeout: 5\r\n handshake_timeout: 5\r\n response_timeout: 10\r\n proxy_url: \"\"\r\n\r\npersistence_checker:\r\n enabled: true\r\n num_requests_to_send: 10\r\n threads: 5\r\n\r\nlogger:\r\n log_error: false\r\n log_mode: pretty\r\n debug: false\r\n output_file: \"\"\r\n skip_tentative: true\r\n```\r\n\r\n## ๐Ÿง  How CacheX Works\r\n\r\n1. Fetches baseline response\r\n2. Injects payload headers\r\n3. Detects response manipulation (body, code, redirect)\r\n4. If changed โ†’ launches concurrent poisoning attempts\r\n5. Fetches clean requests\r\n6. If poisoned response persists โ†’ confirmed vulnerability\r\n7. Outputs PoC link\r\n\r\n## ๐Ÿ“ Project Structure\r\n\r\n```console\r\ncachex/\r\nโ”œโ”€โ”€ cmd/\r\nโ”‚ โ””โ”€โ”€ cachex/\r\nโ”‚ โ””โ”€โ”€ main.go # CLI entrypoint\r\nโ”‚\r\nโ”œโ”€โ”€ internal/\r\nโ”‚ โ”œโ”€โ”€ app/\r\nโ”‚ โ”‚ โ””โ”€โ”€ cachex/\r\nโ”‚ โ”‚ โ””โ”€โ”€ cmd/\r\nโ”‚ โ”‚ โ”œโ”€โ”€ banner.go # ASCII banner\r\nโ”‚ โ”‚ โ”œโ”€โ”€ flags.go # CLI flags + config binding\r\nโ”‚ โ”‚ โ”œโ”€โ”€ helper.go # Help message builder\r\nโ”‚ โ”œโ”€โ”€ root.go # Main CLI logic \u0026 runner\r\nโ”‚ โ””โ”€โ”€ utils.go # File helpers\r\nโ”‚\r\nโ”‚ โ”œโ”€โ”€ pkg/\r\nโ”‚ โ”‚ โ”œโ”€โ”€ client/\r\nโ”‚ โ”‚ โ”‚ โ”œโ”€โ”€ client.go # Custom HTTP client \u0026 transport\r\nโ”‚ โ”‚ โ”‚ โ””โ”€โ”€ request.go # Fetch + send raw requests\r\nโ”‚ โ”‚ โ”œโ”€โ”€ config/\r\nโ”‚ โ”‚ โ”‚ โ””โ”€โ”€ config.go # Legacy internal config\r\nโ”‚ โ”‚ โ””โ”€โ”€ logger/\r\nโ”‚ โ”‚ โ”œโ”€โ”€ colors.go # Color themes\r\nโ”‚ โ”‚ โ””โ”€โ”€ logger.go # Pretty logger (info/warn/debug/vuln)\r\nโ”‚\r\nโ”‚ โ””โ”€โ”€ scanner/\r\nโ”‚ โ”œโ”€โ”€ core.go # Core poisoning test logic\r\nโ”‚ โ”œโ”€โ”€ detector.go # Behavioral response diffing\r\nโ”‚ โ”œโ”€โ”€ logger.go # Pretty + JSON output formatter\r\nโ”‚ โ”œโ”€โ”€ output.go # JSON serialization helpers\r\nโ”‚ โ”œโ”€โ”€ persistchk.go # Persistence checker (real-time poisoning)\r\nโ”‚ โ”œโ”€โ”€ scanner.go # Scan controller (single/multi mode)\r\nโ”‚ โ”œโ”€โ”€ types.go # All scanner structs \u0026 enums\r\nโ”‚ โ””โ”€โ”€ utils.go # Cache buster, merging maps, helpers\r\nโ”‚\r\nโ”œโ”€โ”€ pkg/\r\nโ”‚ โ””โ”€โ”€ cachex/\r\nโ”‚ โ”œโ”€โ”€ scanner.go # Public API wrapper for internal scanner\r\nโ”‚ โ”œโ”€โ”€ utils.go # Config mappers (log mode, scan mode)\r\nโ”‚ โ””โ”€โ”€ validate.go # Config validation\r\nโ”‚\r\nโ”‚ โ””โ”€โ”€ config/\r\nโ”‚ โ”œโ”€โ”€ config.go # YAML config schema\r\nโ”‚ โ”œโ”€โ”€ default.go # Default paths + default config\r\nโ”‚ โ””โ”€โ”€ payloads.go # Default payload headers\r\nโ”‚\r\nโ”œโ”€โ”€ .github/workflows/\r\nโ”‚ โ””โ”€โ”€ release.yml # Automated builds via GoReleaser\r\nโ”‚\r\nโ”œโ”€โ”€ images/\r\nโ”‚ โ”œโ”€โ”€ cachex-logo.png # Logo\r\nโ”‚ โ””โ”€โ”€ cachex-demo.gif # Showcase GIF\r\nโ”‚\r\nโ”œโ”€โ”€ .goreleaser.yaml # Multi-platform binary releases\r\nโ”œโ”€โ”€ .gitignore\r\nโ”œโ”€โ”€ go.mod\r\nโ”œโ”€โ”€ go.sum\r\nโ”œโ”€โ”€ LICENSE\r\nโ””โ”€โ”€ Makefile # Build / install helpers\r\n```\r\n\r\n## ๐Ÿค Contribute\r\n\r\nSure, PRs are welcome!\r\n\r\n## ๐Ÿ“œ License\r\n\r\nMIT ยฉ [@ayuxsec](https://github.com/ayuxsec)\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayuxsec%2Fcachex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fayuxsec%2Fcachex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fayuxsec%2Fcachex/lists"}