I watched the author's talk at Black Hat yesterday and to my understanding, yes. It's a matter of tricking the cache into storing a request with malicious unkeyed input.
i.e. The cache looks for:
GET /advertisement/1
And caches the request body and other headers as a value with that line as the key. If you can manipulate the same key to have a different value, say by tweaking a cache-specific header, then the body of that GET response (an ad) changes for everyone hitting the same cache. Certainly worth testing with the tools that have been released ;)
i.e. The cache looks for:
GET /advertisement/1
And caches the request body and other headers as a value with that line as the key. If you can manipulate the same key to have a different value, say by tweaking a cache-specific header, then the body of that GET response (an ad) changes for everyone hitting the same cache. Certainly worth testing with the tools that have been released ;)
EDIT: The tool in question, a plugin for Burp Community + Pro: https://github.com/PortSwigger/param-miner