SCOPE is a Python-based tool designed to identify cache poisoning vulnerabilities in subdomains. It performs the following operations for each subdomain in a given list:
- Sends a PURGE request to clear the cache.
- Checks for a specific cache hit (
X-Cache-Hits: 1). - Attempts a GET request with an illegal header to poison the cache.
- Verifies if the page is cached and accessible, indicating a potential vulnerability.
- Automated cache poisoning testing for multiple subdomains.
- Checks for
X-Cache-Hits: 1to identify cache-related vulnerabilities. - Easy integration with a list of subdomains via a
.txtfile. - Terminal-based for efficient usage.
- Python 3.x
curlinstalled (used for sending HTTP requests)
-
Clone or download the SCOPE repository:
git clone https://github.com/yourusername/scope.git cd scope -
Install dependencies (if any) and make sure Python 3 is installed:
pip install -r requirements.txt # If you have any dependencies listed
Create a subdomain.txt file, and list all the subdomains you want to test (one per line). Example:
subdomain1.example.com
subdomain2.example.com
subdomain3.example.com
Execute the script with the path to your subdomain.txt file:
python3 scope.py /path/to/subdomain.txtThe tool will process each subdomain in the file and perform the following checks:
- Sends a PURGE request.
- Looks for
X-Cache-Hits: 1to determine if the subdomain is vulnerable. - Attempts to poison the cache with an illegal header.
- Verifies if the random path is cached and accessible.
- For each subdomain, you will receive output like the following:
[SCOPE] Testing subdomain1.example.com - Sending PURGE request... [SCOPE] X-Cache-Hits: 1 found - Potentially vulnerable. Proceeding with GET request... [SCOPE] Vulnerable! Cached page accessible at: https://subdomain1.example.com/random-path - If the subdomain is not vulnerable, the output will indicate that no cache poisoning was detected.