|
1 | 1 |  |
| 2 | + |
| 3 | + |
| 4 | +# SCOPE - Subdomain Cache Observation, Poisoning & Evaluation |
| 5 | + |
| 6 | +**SCOPE** is a Python-based tool designed to identify cache poisoning vulnerabilities in subdomains. It performs the following operations for each subdomain in a given list: |
| 7 | + |
| 8 | +1. **Sends a PURGE request** to clear the cache. |
| 9 | +2. **Checks for a specific cache hit** (`X-Cache-Hits: 1`). |
| 10 | +3. **Attempts a GET request** with an illegal header to poison the cache. |
| 11 | +4. **Verifies if the page is cached** and accessible, indicating a potential vulnerability. |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +## Features |
| 16 | + |
| 17 | +- **Automated cache poisoning testing** for multiple subdomains. |
| 18 | +- **Checks for `X-Cache-Hits: 1`** to identify cache-related vulnerabilities. |
| 19 | +- **Easy integration with a list of subdomains** via a `.txt` file. |
| 20 | +- **Terminal-based** for efficient usage. |
| 21 | + |
| 22 | +--- |
| 23 | + |
| 24 | +## Installation |
| 25 | + |
| 26 | +### Prerequisites |
| 27 | + |
| 28 | +- Python 3.x |
| 29 | +- `curl` installed (used for sending HTTP requests) |
| 30 | + |
| 31 | +### Step-by-Step Setup |
| 32 | + |
| 33 | +1. Clone or download the **SCOPE** repository: |
| 34 | + |
| 35 | + ```bash |
| 36 | + git clone https://github.com/yourusername/scope.git |
| 37 | + cd scope |
| 38 | + ``` |
| 39 | + |
| 40 | +2. Install dependencies (if any) and make sure Python 3 is installed: |
| 41 | + |
| 42 | + ```bash |
| 43 | + pip install -r requirements.txt # If you have any dependencies listed |
| 44 | + ``` |
| 45 | + |
| 46 | +--- |
| 47 | + |
| 48 | +## Usage |
| 49 | + |
| 50 | + |
| 51 | +## Usage |
| 52 | +### Step 1: Prepare the Subdomain List |
| 53 | +Create a `subdomain.txt` file, and list all the subdomains you want to test (one per line). Example: |
| 54 | +``` |
| 55 | +subdomain1.example.com |
| 56 | +subdomain2.example.com |
| 57 | +subdomain3.example.com |
| 58 | +``` |
| 59 | +### Step 2: Run the Tool |
| 60 | +Execute the script with the path to your `subdomain.txt` file: |
| 61 | +```bash |
| 62 | +python3 scope.py /path/to/subdomain.txt |
| 63 | +``` |
| 64 | +The tool will process each subdomain in the file and perform the following checks: |
| 65 | +- Sends a PURGE request. |
| 66 | +- Looks for `X-Cache-Hits: 1` to determine if the subdomain is vulnerable. |
| 67 | +- Attempts to poison the cache with an illegal header. |
| 68 | +- Verifies if the random path is cached and accessible. |
| 69 | +### Output |
| 70 | +- For each subdomain, you will receive output like the following: |
| 71 | + ``` |
| 72 | + [SCOPE] Testing subdomain1.example.com - Sending PURGE request... |
| 73 | + [SCOPE] X-Cache-Hits: 1 found - Potentially vulnerable. Proceeding with GET request... |
| 74 | + [SCOPE] Vulnerable! Cached page accessible at: https://subdomain1.example.com/random-path |
| 75 | + ``` |
| 76 | +- If the subdomain is not vulnerable, the output will indicate that no cache poisoning was detected. |
| 77 | +
|
| 78 | +
|
0 commit comments