https://github.com/ayuxsec/cachex
A high-accuracy, behavioral cache poisoning scanner for modern Web APIs
https://github.com/ayuxsec/cachex
bugbounty cache-poisoning hacking security-tools
Last synced: 5 months ago
JSON representation
A high-accuracy, behavioral cache poisoning scanner for modern Web APIs
- Host: GitHub
- URL: https://github.com/ayuxsec/cachex
- Owner: ayuxsec
- License: mit
- Created: 2025-12-16T12:45:46.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2025-12-20T13:46:21.000Z (6 months ago)
- Last Synced: 2025-12-20T13:58:13.942Z (6 months ago)
- Topics: bugbounty, cache-poisoning, hacking, security-tools
- Language: Go
- Homepage:
- Size: 8.66 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
A high-accuracy, behavioral cache poisoning scanner for modern Web APIs
## ๐ Why CacheX?
Most cache poisoning scanners only check:
* whether a response changes with certain headers
* or whether cache-related headers exist
This produces **tons of false positives** and rarely confirms a real exploit.
**CacheX is different.**
It performs **behavioral diffing**, **multi-threaded poisoning**, and **persistence verification**, confirming only real, weaponizable cache poisoning.
[](https://asciinema.org/a/0t6ga94iTdGmMuCP99KQsAZDs)
## ๐ฅ Features
* โก **High-speed multi-threaded scanning**
* ๐ฏ **Zero-FP design with behavioral diffing**
* ๐ **Real-time cache poisoning attempts**
* ๐งช **Persistence confirmation for true vulnerabilities**
* ๐ **Single and multi-header scan modes**
* ๐งฉ **YAML-based payload configuration**
* ๐ค **JSON or pretty output formats**
* ๐ **Optional file-based export**
* ๐ท **Tentative vs confirmed vuln tagging**
## ๐ง Installation
```bash
go install github.com/ayuxsec/cachex/cmd/cachex@latest
```
Or build manually:
```bash
git clone --depth=1 https://github.com/ayuxsec/cachex
cd cachex
go build -o cachex "cmd/cachex/main.go"
./cachex -h
```
## ๐ Usage
### โถ๏ธ Scan a single URL
```bash
cachex -u https://example.com
```
### โถ๏ธ Scan multiple targets
```bash
cachex -l urls.txt
```
### โถ๏ธ Scan URLs via pipeline
```bash
echo "https://example.com" | cachex
```
or:
```bash
cat urls.txt | cachex
```
---
## ๐ All CLI Flags
| Category | Flag | Description |
| ----------------- | ----------------- | --------------------------- |
| Input | `-u, --url` | URL to scan |
| | `-l, --list` | File with list of URLs |
| Concurrency | `-t, --threads` | Number of scanning threads |
| | `-m, --scan-mode` | `single` or `multi` |
| HTTP Client | `--timeout` | Total request timeout |
| | `--proxy` | Proxy URL |
| Persistence Check | `--no-chk-prst` | Disable persistence checker |
| | `--prst-requests` | Poisoning requests |
| | `--prst-threads` | Threads for poisoning |
| Output | `-o, --output` | Output file |
| | `-j, --json` | JSON output |
| Payloads | `--pcf` | Custom payload config file |
## ๐ก Example
```bash
cachex -l targets.txt -t 50 --pcf payloads.yaml --json -o results.json
```
## โ๏ธ Configuration
CacheX automatically loads:
```
~/.config/cachex/config.yaml
~/.config/cachex/payloads.yaml
```
You can configure:
* Payload headers
* Default request headers
* Timeouts & concurrency
* Logging mode
* Proxy settings
* Persistence checker behavior
## ๐ Output Formats
### Pretty Output
```
[vuln] [https://target.com] [Location Poisoning] [header: X-Forwarded-Host: evil.com] [poc: https://target.com?cache=XYZ]
```
### JSON Output
```json
{
"URL": "https://target.com/",
"IsVulnerable": true,
"IsResponseManipulable": true,
"ManipulationType": "ChangedBody",
"RequestHeaders": {
"Accept": "*/*",
"User-Agent": "Mozilla/5.0"
},
"PayloadHeaders": {
"X-Forwarded-Host": "evil.com"
},
"OriginalResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
},
"ModifiedResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
},
"PersistenceCheckResult": {
"IsPersistent": true,
"PoCLink": "https://target.example.com/?cache=XYZ",
"FinalResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
}
}
}
```
## ๐ Scan Modes
* `single`: precise, tests each header independently
* `multi`: fast, tests all payload headers together
## ๐งฉ Payload Headers
Defined in:
```
~/.config/cachex/payloads.yaml
```
Example:
```yaml
payload_headers:
X-Forwarded-Host: evil.com
X-Forwarded-For: 127.0.0.1
X-Original-URL: /evilpath
X-Client-IP: 127.0.0.1
```
## ๐ Configuration File Example (`config.yaml`)
```yaml
scan_mode: single
threads: 25
request_headers:
Accept: '*/*'
User-Agent: Mozilla/5.0 (...)
client:
dial_timeout: 5
handshake_timeout: 5
response_timeout: 10
proxy_url: ""
persistence_checker:
enabled: true
num_requests_to_send: 10
threads: 5
logger:
log_error: false
log_mode: pretty
debug: false
output_file: ""
skip_tentative: true
```
## ๐ง How CacheX Works
1. Fetches baseline response
2. Injects payload headers
3. Detects response manipulation (body, code, redirect)
4. If changed โ launches concurrent poisoning attempts
5. Fetches clean requests
6. If poisoned response persists โ confirmed vulnerability
7. Outputs PoC link
## ๐ Project Structure
```console
cachex/
โโโ cmd/
โ โโโ cachex/
โ โโโ main.go # CLI entrypoint
โ
โโโ internal/
โ โโโ app/
โ โ โโโ cachex/
โ โ โโโ cmd/
โ โ โโโ banner.go # ASCII banner
โ โ โโโ flags.go # CLI flags + config binding
โ โ โโโ helper.go # Help message builder
โ โโโ root.go # Main CLI logic & runner
โ โโโ utils.go # File helpers
โ
โ โโโ pkg/
โ โ โโโ client/
โ โ โ โโโ client.go # Custom HTTP client & transport
โ โ โ โโโ request.go # Fetch + send raw requests
โ โ โโโ config/
โ โ โ โโโ config.go # Legacy internal config
โ โ โโโ logger/
โ โ โโโ colors.go # Color themes
โ โ โโโ logger.go # Pretty logger (info/warn/debug/vuln)
โ
โ โโโ scanner/
โ โโโ core.go # Core poisoning test logic
โ โโโ detector.go # Behavioral response diffing
โ โโโ logger.go # Pretty + JSON output formatter
โ โโโ output.go # JSON serialization helpers
โ โโโ persistchk.go # Persistence checker (real-time poisoning)
โ โโโ scanner.go # Scan controller (single/multi mode)
โ โโโ types.go # All scanner structs & enums
โ โโโ utils.go # Cache buster, merging maps, helpers
โ
โโโ pkg/
โ โโโ cachex/
โ โโโ scanner.go # Public API wrapper for internal scanner
โ โโโ utils.go # Config mappers (log mode, scan mode)
โ โโโ validate.go # Config validation
โ
โ โโโ config/
โ โโโ config.go # YAML config schema
โ โโโ default.go # Default paths + default config
โ โโโ payloads.go # Default payload headers
โ
โโโ .github/workflows/
โ โโโ release.yml # Automated builds via GoReleaser
โ
โโโ images/
โ โโโ cachex-logo.png # Logo
โ โโโ cachex-demo.gif # Showcase GIF
โ
โโโ .goreleaser.yaml # Multi-platform binary releases
โโโ .gitignore
โโโ go.mod
โโโ go.sum
โโโ LICENSE
โโโ Makefile # Build / install helpers
```
## ๐ค Contribute
Sure, PRs are welcome!
## ๐ License
MIT ยฉ [@ayuxsec](https://github.com/ayuxsec)