Web Cache
Web cache deception and web cache poisoning
Cache Headers
X-Cache: HIT
Generic caches (Varnish, Squid)
Response served from the server or proxy cache.
CF-Cache-Status: HIT
Cloudflare (CDN)
Response served from Cloudflare's cache.
Testing
Web Cache Deception
Detection
X-Cache: HIT or CF-Cache-Status: HIT (depending on the cache used)
Cache-Control: public -> That means anyone could potentially retrieve this response.
Example 1
Response :
This page should not be put in cache
Try adding .jpg / .js / .css
Example 2
Normal Request
The response is
Try to add cacheable extension (For example .js / .css / .jpg, etc.)
The response is
If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode
Example 3
Add
;before the extension (For example;.js/;.css/;.jpg, etc.)
The response is
If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode
Other things to test:
www.example.com/profile.php/.js
www.example.com/profile.php/.css
www.example.com/profile.php/test.js
www.example.com/profile.php/../test.js
www.example.com/profile.php/%2e%2e/test.js
Use lesser known extensions such as
.avif
Exemple 4
/profile isn’t getting cached... but /assets/* is
Credits: https://x.com/medusa_0xf/status/1926245574065405991
Burp extension
Delimiters
See below for more information - Sourcce: https://www.youtube.com/watch?v=9gvxEhugnVM
Spring
Matrix variales use of semicolon to add parameters
/user;params/home->/user/home/Myaccount;a.js->MyAccount
Rails
Response format specifiers use dot to render views
/MyAccount -> Default view: myaccount.html.erb
/MyAccount.css -> view: myaccount.css.erb
/MyAccount.aaa -> Default view: myaccount.html.erb
/MyAccount.ico -> Default view: myaccount.html.erb
OpenLiteSpeed
Encoded null as delimiter
/MyAccount%00a.js->/MyAccount
Nginx
Encoded new line as delimiter if rewrite is enabled
/user/MyAccount%0a.js->/account/MyAccount
Decode Path
/%68%65%6C%6C%6F->/hello/hello%2Fworld%2Ehtml->/hello/world.html
Segment Normalization
/hello/../world->/world/hello\world->/hello/world
Static Path
/MyAccount$%2F%2E%2E%2Fstatic%2Fwcd->/MyAccount/../static/wcd
Front End - Path Normalization : /static/wcd
Back End - $ is delimiter : /Myaccount
For example, this is the case whe CloudFront/Azure/Imperva is combined with Tomcat
Web Cache Poisoning
Detection
Query parameters
Look for evil and X-Cache: HIT / CF-Cache-Status: HIT in the response
Headers
Look for evil.com in the response
If the response contains X-Cache: HIT / CF-Cache-Status: HIT and the returned page is malicious or incorrect, it means the cache has been poisoned.
If the server sends a response with X-Cache: HIT / CF-Cache-Status: HIT and the page corresponds to a malicious page (e.g., an error page or an admin page), it is possible that the cache has been poisoned with an incorrect response.
XSS
Example 2:
Param Miner - Burp Extension
Right-click on a request that you want to investigate and click "Guess headers"
Tools
Interesting Books
Interesting BooksThe Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
Resources
Support this Gitbook
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Last updated