Web Cache Deception #
Summary #
- Tools
- Exploit
- Methodology - Caching Sensitive Data
- Methodology - Caching Custom JavaScript
- CloudFlare Caching
- Labs
- References
Tools #
This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.
Exploit #
- Browser requests a resource such as
http://www.example.com/home.php/non-existent.css. - Server returns the content of
http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page. - The response goes through the proxy.
- The proxy identifies that the file has a css extension.
- Under the cache directory, the proxy creates a directory named home.php, and caches the imposter “CSS” file (non-existent.css) inside.
Methodology - Caching Sensitive Data #
Example 1 - Web Cache Deception on PayPal Home Page
- Normal browsing, visit home :
https://www.example.com/myaccount/home/ - Open the malicious link :
https://www.example.com/myaccount/home/malicious.css - The page is displayed as /home and the cache is saving the page
- Open a private tab with the previous URL :
https://www.example.com/myaccount/home/malicous.css - The content of the cache is displayed
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
Example 2 - Web Cache Deception on OpenAI
- Attacker crafts a dedicated .css path of the
/api/auth/sessionendpoint. - Attacker distributes the link
- Victims visit the legitimate link.
- Response is cached.
- Attacker harvests JWT Credentials.
Methodology - Caching Custom JavaScript #
- Find an un-keyed input for a Cache Poisoning
Values: User-Agent
Values: Cookie
Header: X-Forwarded-Host
Header: X-Host
Header: X-Forwarded-Server
Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
Header: X-Original-URL (Symfony)
Header: X-Rewrite-URL (Symfony)
- Cache poisoning attack - Example for
X-Forwarded-Hostun-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
GET /test?buster=123 HTTP/1.1
Host: target.com
X-Forwarded-Host: test"><script>alert(1)</script>
HTTP/1.1 200 OK
Cache-Control: public, no-cache
[..]
<meta property="og:image" content="https://test"><script>alert(1)</script>">
CloudFlare Caching #
CloudFlare caches the resource when the Cache-Control header is set to public and max-age is greater than 0.
- The Cloudflare CDN does not cache HTML by default
- Cloudflare only caches based on file extension and not by MIME type: cloudflare/default-cache-behavior
CloudFlare has a list of default extensions that gets cached behind their Load Balancers.
| 7Z | CSV | GIF | MIDI | PNG | TIF | ZIP |
| AVI | DOC | GZ | MKV | PPT | TIFF | ZST |
| AVIF | DOCX | ICO | MP3 | PPTX | TTF | CSS |
| APK | DMG | ISO | MP4 | PS | WEBM | FLAC |
| BIN | EJS | JAR | OGG | RAR | WEBP | MID |
| BMP | EOT | JPG | OTF | SVG | WOFF | PLS |
| BZ2 | EPS | JPEG | SVGZ | WOFF2 | TAR | |
| CLASS | EXE | JS | PICT | SWF | XLS | XLSX |
Labs #
References #
- Web Cache Deception Attack - Omer Gil
- Practical Web Cache Poisoning - James Kettle @albinowax
- Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle @albinowax
- Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25
- Web cache poisoning - Web Security Academy learning materials