WCD - WCP
Web Cache Poisoning/Deception
Web Cache Deception
Web Cache Deception
To test for web cache deception try one of the several path confusing payloads as shown below: β example.com/nonexistent.css β example.com/%0nonexistent.css β example.com/%3Bnonexistent.css β example.com/%23nonexistent.css β example.com/%3Fname=valnonexistent.css
β’ Use less known extensions such as .avif
chat.openai[.]com/api/auth/session.css
β 400
chat.openai[.]com/api/auth/session/test.css
β 200
Omer Gil: Web Cache Deception Attack
Cache Poisoning and Cache Deception
The difference
What is the difference between web cache poisoning and web cache deception?
In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
References
Top Web Cache reports from HackerOne:
DoS on PayPal via web cache poisoning to PayPal - 811 upvotes, $9700
Web cache poisoning attack leads to user information and more to Postmates - 343 upvotes, $500
Web Cache Poisoning leads to Stored XSS to Glassdoor - 99 upvotes, $0
Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS to GSA Bounty - 77 upvotes, $750
https://themes.shopify.com::: Host header web cache poisoning lead to DoS to Shopify - 72 upvotes, $2900
web cache deception in https://tradus.com lead to name/user_id enumeration and other info to OLX - 61 upvotes, $0
Web Cache Poisoning leads to XSS and DoS to Glassdoor - 55 upvotes, $0
CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256
Web cache deception attack on https://open.vanillaforums.com/messages/all to Vanilla - 45 upvotes, $150
[https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure to Glassdoor - 43 upvotes, $0
Web cache poisoning leads to disclosure of CSRF token and sensitive information to Smule - 35 upvotes, $0
Web Cache Deception Attack (XSS) to Discourse - 33 upvotes, $256
Web Cache Poisoning on βββββ to U.S. Dept Of Defense - 32 upvotes, $0
Web Cache Deception vulnerability on algolia.com leads to personal information leakage to Algolia - 30 upvotes, $400
Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 26 upvotes, $800
Web Cache poisoning attack leads to User information Disclosure and more to Lyst - 23 upvotes, $0
Web cache information leakage at sbermarket.ru to Mail.ru - 22 upvotes, $400
Web Cache Deception Attack (XSS) to Algolia - 21 upvotes, $0
https://help.nextcloud.com::: Web cache poisoning attack to Nextcloud - 21 upvotes, $0
[*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 20 upvotes, $0
HTTP request smuggling on Basecamp 2 allows web cache poisoning to Basecamp - 17 upvotes, $1700
Web Cache Poisoning to Mail.ru - 17 upvotes, $0
Web cache poisoning at www.acronis.com to Acronis - 15 upvotes, $0
Web cache deception attack - expose token information to Chaturbate - 14 upvotes, $0
[okmedia.insideok.ru] Web Cache Poisoing & XSS to ok.ru - 13 upvotes, $0
Several domains on kaspersky.com are vulnerable to Web Cache Deception attack to Kaspersky - 13 upvotes, $0
Web Cache Poisoning leading to DoS to U.S. General Services Administration - 13 upvotes, $0
Information Leakage via TikTok Ads Web Cache Deception to TikTok - 10 upvotes, $0
Web cache deception attack - expose earning state information to Semrush - 3 upvotes, $0
Last updated