Web Cache Deception

In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.

Exploitation

Extensions such as .css, .js, .png, etc, are usually configured to be saved in the cache. Therefore, if you were to access a non-existent URL such as www.example.com/profile.php/nonexistent.js the cache could potentially store response because it sees the .js extension.

This is dangerous as if the application being tested is replaying the request with sensitive user contents stored in www.example.com/profile.php, an attacker can craft a malicious URL to steal these contents from other users.

Other things to test:

www.example.com/profile.php/.js
www.example.com/profile.php/.css
www.example.com/profile.php/test.js
www.example.com/profile.php/../test.js
www.example.com/profile.php/%2e%2e/test.js
Use lesser known extensions such as .avif

References

Web Cache Deception Attack

Cache Poisoning and Cache DeceptionHackTricks

HTTP Request Smuggling / HTTP Desync AttackHackTricks

Web cache deception named top web hacking technique of 2019The Daily Swig | Cybersecurity news and views

PreviousWebSockets NextWeb Cache Poisoning

Last updated 7 months ago