Post

Web Cache Deception Vulnerabilities

Posted Updated
By Shervoni
3 min read
Web Cache Deception Vulnerabilities

Web Cache Deception Vulnerability and Exploitation

What is it?

A vulnerability that enables attackers to trick web caches and gain unauthorized access to sensitive information. It is caused by inconsistencies between how the cache server and origin server handle requests.

How Does It Occur or Work?

Typical CDN Workflow:

  1. User opens content on a website.
  2. Request flows as follows:
    • User → CDN (Content Delivery Network)Origin Server.
  3. The CDN caches (saves) the response for reuse to reduce load and improve speed.
  4. Subsequent requests may fetch data from the CDN cache directly.

How Does the Vulnerability Work?

An Example:

  1. Normal Functionality:
    • A logged-in user visits their profile at:
      1

      https://example.com/profile
    • This page is dynamically generated and contains user-specific data (e.g., name, email).
    • It is not cached as it is private.
  2. The Attack:
    • An attacker manipulates the URL:
      1

      https://example.com/profile/public.css
    • The server mistakes this for a static file request, allowing the content to be cached.
  3. The Consequence:
    • If this dynamic content is cached, others accessing the manipulated URL might see the sensitive profile data.

Web Caches

What are Web Caches?

Web caches temporarily store copies of web pages, images, or other resources to speed up access and reduce server load.

Types of Web Caches:

  • Browser Cache: Stores resources locally in a user’s browser.
  • Server-Side Cache: Stores content on the web server for frequently accessed pages.
  • CDN (Content Delivery Network): Distributed caches near users to deliver content faster.

Cache Keys

  • When a cache receives an HTTP request, it determines if a cached response exists based on a cache key.
  • Cache keys typically include:
    • Base URL: example.com/page.
    • Query parameters: id=123.

Example:

  • Request: https://example.com/page?id=123.
  • Cache key: example.com/page?id=123.

If a match is found, the cached response is served.

Cache Rules

Types of Rules:

  1. Static File Extension Rules:
    • Target file types: .css, .js, .png.
  2. Static Directory Rules:
    • Apply to paths starting with /static or /assets.
  3. File Name Rules:
    • Target specific files like robots.txt or favicon.ico.

Static vs. Dynamic Files in Websites

Static Files

  • Definition: Content that does not change unless updated by a developer.
  • Examples:
    • .html, .css, .js, .jpg, .woff.

Dynamic Files

  • Definition: Content generated in real-time, customized for each request.
  • Examples:
    • .php, .jsp, .py.

How to Identify if a File is Static or Dynamic

  1. File Extension:
    • Static: .html, .css, .js.
    • Dynamic: .php, .asp.
  2. URL Behavior:
    • Static: Content remains the same for all users.
    • Dynamic: Content varies based on user interaction.
  3. HTTP Response Headers:
    • Static: Cache-Control: public, max-age=31536000.
    • Dynamic: Cache-Control: no-store.

Common Exploitation Techniques

Exploiting Path Mapping

  • Identify static extensions (e.g., .js) by sending: GET /my-account/123.js
  • If X-Cache: hit appears, the resource is cached.

Exploiting Path Delimiters

  • Use delimiters (;, ?) to bypass cache rules: GET /my-account;public.js

Exploiting Origin Normalization

  • Use traversal (../) to target sensitive paths: /resources/..%2fmy-account

Exploitation Labs

Lab: Exploiting Path Mapping

  1. Identify caching behavior:
    • Send requests like /my-account/123.js.
    • Observe X-Cache headers (miss, then hit).
  2. Exploit:
    • Redirect user to malicious URL:
      1
2
3

      <script>
  document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account/123.js";
</script>

Lab: Exploiting Path Delimiters

  1. Test Delimiters:
    • Send /my-account;123.js.
    • Observe X-Cache: hit.
  2. Exploit:
    • Use <script> to cache sensitive data for victim users.

Lab Workflow Summary

  1. Identify Vulnerabilities:
    • Look for mismatched cache rules or normalization issues.
  2. Test Static and Dynamic Paths:
    • Check responses for X-Cache: misshit.
  3. Craft Payloads:
    • Combine delimiters, traversal, and static file rules.
  4. Deliver Exploit:
    • Redirect victim users to malicious URLs.
Web Security
Web-Cache Deception
This post is licensed under CC BY 4.0 by the author.