Most cache poisoning scanners only check:
- whether a response changes with certain headers
- or whether cache-related headers exist
This produces tons of false positives and rarely confirms a real exploit.
CacheX is different.
It performs behavioral diffing, multi-threaded poisoning, and persistence verification, confirming only real, weaponizable cache poisoning.
If CacheX says [vuln] - it's legit.
- β‘ High-speed multi-threaded scanning
- π― Zero-FP design with behavioral diffing
- π Real-time cache poisoning attempts
- π§ͺ Persistence confirmation for true vulnerabilities
- π Single and multi-header scan modes
- 𧩠YAML-based payload configuration
- π€ JSON or pretty output formats
- π Optional file-based export
- π· Tentative vs confirmed vuln tagging
go install github.com/ayuxdev/cachex/cmd/cachex@latestOr build manually:
git clone https://github.com/ayuxdev/cachex
cd cachex
go build -o cachex "cmd/cachex/main.go"
./cachex -hcachex -u https://example.comcachex -l urls.txtecho "https://example.com" | cachexor:
cat urls.txt | cachex| Category | Flag | Description |
|---|---|---|
| Input | -u, --url |
URL to scan |
-l, --list |
File with list of URLs | |
| Concurrency | -t, --threads |
Number of scanning threads |
-m, --scan-mode |
single or multi |
|
| HTTP Client | --timeout |
Total request timeout |
--proxy |
Proxy URL | |
| Persistence Check | --no-chk-prst |
Disable persistence checker |
--prst-requests |
Poisoning requests | |
--prst-threads |
Threads for poisoning | |
| Output | -o, --output |
Output file |
-j, --json |
JSON output | |
| Payloads | --pcf |
Custom payload config file |
cachex -l targets.txt -t 50 --pcf payloads.yaml --json -o results.jsonCacheX automatically loads:
~/.config/cachex/config.yaml
~/.config/cachex/payloads.yaml
You can configure:
- Payload headers
- Default request headers
- Timeouts & concurrency
- Logging mode
- Proxy settings
- Persistence checker behavior
[vuln] [https://target.com] [Location Poisoning] [header: X-Forwarded-Host: evil.com] [poc: https://target.com?cache=XYZ]
{
"URL": "https://target.com/",
"IsVulnerable": true,
"IsResponseManipulable": true,
"ManipulationType": "ChangedBody",
"RequestHeaders": {
"Accept": "*/*",
"User-Agent": "Mozilla/5.0"
},
"PayloadHeaders": {
"X-Forwarded-Host": "evil.com"
},
"OriginalResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
},
"ModifiedResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
},
"PersistenceCheckResult": {
"IsPersistent": true,
"PoCLink": "https://target.example.com/?cache=XYZ",
"FinalResponse": {
"StatusCode": 200,
"Headers": {
"...": "..."
},
"Body": "...",
"Location": ""
}
}
}single: precise, tests each header independentlymulti: fast, tests all payload headers together
Defined in:
~/.config/cachex/payloads.yaml
Example:
payload_headers:
X-Forwarded-Host: evil.com
X-Forwarded-For: 127.0.0.1
X-Original-URL: /evilpath
X-Client-IP: 127.0.0.1scan_mode: single
threads: 25
request_headers:
Accept: '*/*'
User-Agent: Mozilla/5.0 (...)
client:
dial_timeout: 5
handshake_timeout: 5
response_timeout: 10
proxy_url: ""
persistence_checker:
enabled: true
num_requests_to_send: 10
threads: 5
logger:
log_error: false
log_mode: pretty
debug: false
output_file: ""
skip_tentative: true- Fetches baseline response
- Injects payload headers
- Detects response manipulation (body, code, redirect)
- If changed β launches concurrent poisoning attempts
- Fetches clean requests
- If poisoned response persists β confirmed vulnerability
- Outputs PoC link
cachex/
βββ cmd/
β βββ cachex/
β βββ main.go # CLI entrypoint
β
βββ internal/
β βββ app/
β β βββ cachex/
β β βββ cmd/
β β βββ banner.go # ASCII banner
β β βββ flags.go # CLI flags + config binding
β β βββ helper.go # Help message builder
β βββ root.go # Main CLI logic & runner
β βββ utils.go # File helpers
β
β βββ pkg/
β β βββ client/
β β β βββ client.go # Custom HTTP client & transport
β β β βββ request.go # Fetch + send raw requests
β β βββ config/
β β β βββ config.go # Legacy internal config
β β βββ logger/
β β βββ colors.go # Color themes
β β βββ logger.go # Pretty logger (info/warn/debug/vuln)
β
β βββ scanner/
β βββ core.go # Core poisoning test logic
β βββ detector.go # Behavioral response diffing
β βββ logger.go # Pretty + JSON output formatter
β βββ output.go # JSON serialization helpers
β βββ persistchk.go # Persistence checker (real-time poisoning)
β βββ scanner.go # Scan controller (single/multi mode)
β βββ types.go # All scanner structs & enums
β βββ utils.go # Cache buster, merging maps, helpers
β
βββ pkg/
β βββ cachex/
β βββ scanner.go # Public API wrapper for internal scanner
β βββ utils.go # Config mappers (log mode, scan mode)
β βββ validate.go # Config validation
β
β βββ config/
β βββ config.go # YAML config schema
β βββ default.go # Default paths + default config
β βββ payloads.go # Default payload headers
β
βββ .github/workflows/
β βββ release.yml # Automated builds via GoReleaser
β
βββ images/
β βββ cachex-logo.png # Logo
β βββ cachex-demo.gif # Showcase GIF
β
βββ .goreleaser.yaml # Multi-platform binary releases
βββ .gitignore
βββ go.mod
βββ go.sum
βββ LICENSE
βββ Makefile # Build / install helpersSure, PRs are welcome!
MIT Β© @ayuxdev