WCD - WCP

Web Cache Poisoning/Deception

Web Cache Deception

Web Cache Deception

To test for web cache deception try one of the several path confusing payloads as shown below: ● example.com/nonexistent.css ● example.com/%0nonexistent.css ● example.com/%3Bnonexistent.css ● example.com/%23nonexistent.css ● example.com/%3Fname=valnonexistent.css

β€’ Use less known extensions such as .avif

chat.openai[.]com/api/auth/session.css β†’ 400

chat.openai[.]com/api/auth/session/test.css β†’ 200

Omer Gil: Web Cache Deception Attack

Cache Poisoning and Cache Deception

The difference

What is the difference between web cache poisoning and web cache deception?

  • In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.

  • In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.

References

Top Web Cache reports from HackerOne:

  1. DoS on PayPal via web cache poisoning to PayPal - 811 upvotes, $9700

  2. Web cache poisoning attack leads to user information and more to Postmates - 343 upvotes, $500

  3. Web Cache Poisoning leads to Stored XSS to Glassdoor - 99 upvotes, $0

  4. Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS to GSA Bounty - 77 upvotes, $750

  5. https://themes.shopify.com::: Host header web cache poisoning lead to DoS to Shopify - 72 upvotes, $2900

  6. web cache deception in https://tradus.com lead to name/user_id enumeration and other info to OLX - 61 upvotes, $0

  7. Web Cache Poisoning leads to XSS and DoS to Glassdoor - 55 upvotes, $0

  8. CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256

  9. Web cache deception attack on https://open.vanillaforums.com/messages/all to Vanilla - 45 upvotes, $150

  10. [https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure to Glassdoor - 43 upvotes, $0

  11. Web cache poisoning leads to disclosure of CSRF token and sensitive information to Smule - 35 upvotes, $0

  12. Web Cache Deception Attack (XSS) to Discourse - 33 upvotes, $256

  13. Web Cache Poisoning on β–ˆβ–ˆβ–ˆβ–ˆβ–ˆ to U.S. Dept Of Defense - 32 upvotes, $0

  14. Web Cache Deception vulnerability on algolia.com leads to personal information leakage to Algolia - 30 upvotes, $400

  15. Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 26 upvotes, $800

  16. Web Cache poisoning attack leads to User information Disclosure and more to Lyst - 23 upvotes, $0

  17. Web cache information leakage at sbermarket.ru to Mail.ru - 22 upvotes, $400

  18. Web Cache Deception Attack (XSS) to Algolia - 21 upvotes, $0

  19. https://help.nextcloud.com::: Web cache poisoning attack to Nextcloud - 21 upvotes, $0

  20. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 20 upvotes, $0

  21. HTTP request smuggling on Basecamp 2 allows web cache poisoning to Basecamp - 17 upvotes, $1700

  22. Web Cache Poisoning to Mail.ru - 17 upvotes, $0

  23. Web cache poisoning at www.acronis.com to Acronis - 15 upvotes, $0

  24. Web cache deception attack - expose token information to Chaturbate - 14 upvotes, $0

  25. [okmedia.insideok.ru] Web Cache Poisoing & XSS to ok.ru - 13 upvotes, $0

  26. Several domains on kaspersky.com are vulnerable to Web Cache Deception attack to Kaspersky - 13 upvotes, $0

  27. Web Cache Poisoning leading to DoS to U.S. General Services Administration - 13 upvotes, $0

  28. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 10 upvotes, $0

  29. Web cache deception attack - expose earning state information to Semrush - 3 upvotes, $0

PreviousSubdomain TakeoverNextWebSockets

Last updated