Web Cache Deception
Last updated
Last updated
In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
Extensions such as .css
, .js
, .png
, etc, are usually configured to be saved in the cache. Therefore, if you were to access a non-existent URL such as www.example.com/profile.php/nonexistent.js
the cache could potentially store response because it sees the .js
extension.
This is dangerous as if the application being tested is replaying the request with sensitive user contents stored in www.example.com/profile.php
, an attacker can craft a malicious URL to steal these contents from other users.
Other things to test:
www.example.com/profile.php/.js
www.example.com/profile.php/.css
www.example.com/profile.php/test.js
www.example.com/profile.php/../test.js
www.example.com/profile.php/%2e%2e/test.js
Use lesser known extensions such as .avif