search

Web Cache

Web cache deception and web cache poisoning

ko-fiarrow-up-right

hashtag
Cache Headers

Header
Provenance
Meaning

X-Cache: HIT

Generic caches (Varnish, Squid)

Response served from the server or proxy cache.

CF-Cache-Status: HIT

Cloudflare (CDN)

Response served from Cloudflare's cache.

hashtag
Testing

LogoHow I Test For Web Cache Vulnerabilities + Tips And TricksMediumchevron-right

hashtag
Web Cache Deception

LogoWeb cache deception | Web Security AcademyWebSecAcademychevron-right
LogoWeb_Hacking/Cache Deception.md at main · Mehdi0x90/Web_HackingGitHubchevron-right
LogoBug-Bounty-Methodology/Web Cache Deception.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHubchevron-right

hashtag
Detection

X-Cache: HIT or CF-Cache-Status: HIT (depending on the cache used)

Cache-Control: public -> That means anyone could potentially retrieve this response.

hashtag
Example 1

Response :

This page should not be put in cache

Try adding .jpg / .js / .css

hashtag
Example 2

  • Normal Request

The response is

  1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)

The response is

If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode

hashtag
Example 3

  1. Add ; before the extension (For example ;.js / ;.css / ;.jpg, etc.)

The response is

If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode

hashtag
Other things to test:

  • www.example.com/profile.php/.js

  • www.example.com/profile.php/.css

  • www.example.com/profile.php/test.js

  • www.example.com/profile.php/../test.js

  • www.example.com/profile.php/%2e%2e/test.js

  • Use lesser known extensions such as .avif

hashtag
Exemple 4

/profile isn’t getting cached... but /assets/* is

Credits: https://x.com/medusa_0xf/status/1926245574065405991arrow-up-right

hashtag
Burp extension

LogoWeb Cache Deception Scannerportswigger.netchevron-right

hashtag
Delimiters

See below for more information - Sourcce: https://www.youtube.com/watch?v=9gvxEhugnVMarrow-up-right

hashtag
Spring

Matrix variales use of semicolon to add parameters

  • /user;params/home -> /user/home

  • /Myaccount;a.js -> MyAccount

hashtag
Rails

Response format specifiers use dot to render views

  • /MyAccount -> Default view: myaccount.html.erb

  • /MyAccount.css -> view: myaccount.css.erb

  • /MyAccount.aaa -> Default view: myaccount.html.erb

  • /MyAccount.ico -> Default view: myaccount.html.erb

hashtag
OpenLiteSpeed

Encoded null as delimiter

  • /MyAccount%00a.js -> /MyAccount

hashtag
Nginx

Encoded new line as delimiter if rewrite is enabled

  • /user/MyAccount%0a.js -> /account/MyAccount

hashtag
Decode Path

  • /%68%65%6C%6C%6F -> /hello

  • /hello%2Fworld%2Ehtml -> /hello/world.html

hashtag
Segment Normalization

  • /hello/../world -> /world

  • /hello\world -> /hello/world

hashtag
Static Path

  • /MyAccount$%2F%2E%2E%2Fstatic%2Fwcd -> /MyAccount/../static/wcd

Front End - Path Normalization : /static/wcd Back End - $ is delimiter : /Myaccount

For example, this is the case whe CloudFront/Azure/Imperva is combined with Tomcat

hashtag
Web Cache Poisoning

LogoPractical Web Cache PoisoningPortSwigger Researchchevron-right
LogoBug-Bounty-Methodology/Web Cache Poisoning.md at main · trilokdhaked/Bug-Bounty-MethodologyGitHubchevron-right

hashtag
Detection

hashtag
Query parameters

Look for evil and X-Cache: HIT / CF-Cache-Status: HIT in the response

hashtag
Headers

Look for evil.com in the response

If the response contains X-Cache: HIT / CF-Cache-Status: HIT and the returned page is malicious or incorrect, it means the cache has been poisoned.

If the server sends a response with X-Cache: HIT / CF-Cache-Status: HIT and the page corresponds to a malicious page (e.g., an error page or an admin page), it is possible that the cache has been poisoned with an incorrect response.

hashtag
XSS

Example 2:

hashtag
Param Miner - Burp Extension

LogoWeb cache poisoning | Web Security AcademyWebSecAcademychevron-right

Right-click on a request that you want to investigate and click "Guess headers"

hashtag
Tools

LogoGitHub - Hackmanit/Web-Cache-Vulnerability-Scanner: Web Cache Vulnerability Scanner is a Go-based CLI tool for testing for web cache poisoning. It is developed by Hackmanit GmbH (http://hackmanit.de/).GitHubchevron-right
LogoGitHub - xhzeem/toxicache: Go scanner to find web cache poisoning vulnerabilities in a list of URLsGitHubchevron-right
LogoGitHub - Th0h0/autopoisoner: Web cache poisoning vulnerability scanner.GitHubchevron-right
LogoGitHub - c0dejump/HExHTTP: Header Exploitation HTTPGitHubchevron-right

hashtag
Interesting Books

Interesting Bookschevron-right
circle-info

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

hashtag
Resources

LogoCache Poisoning and Cache Deception - HackTricksbook.hacktricks.wikichevron-right
LogoHow I Test For Web Cache Vulnerabilities + Tips And TricksMediumchevron-right
LogoBeyond Web Caching VulnerabilitiesMediumchevron-right
https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Martin%20Doyhenard%20-%20Gotta%20Cache%20em%20all%20bending%20the%20rules%20of%20web%20cache%20exploitation.pdfmedia.defcon.orgchevron-right

hashtag
Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

ko-fiarrow-up-right

buymeacoffeearrow-up-right

PreviousWeb Mass AssignmentNextClickjacking

Last updated