Web Caching Vulnerabilities
CWE-524: Use of Cache Containing Sensitive Information
Last updated
Was this helpful?
CWE-524: Use of Cache Containing Sensitive Information
Last updated
Was this helpful?
Web caching is a technique used to improve the performance and efficiency of websites by storing copies of frequently accessed content closer to the user. Instead of generating the same content repeatedly, cache servers store this content and deliver it directly to users upon subsequent requests. This reduces the load on the web server, decreases response times, and conserves bandwidth. Caching can occur at various levels, such as within a Content Delivery Network (CDN), in a browser, or at an intermediary proxy.
However, if caching is misconfigured or vulnerable, attackers can exploit it to manipulate cached content, bypass security policies, or cause sensitive information to be stored and served to unintended users. This introduces a range of security risks known as web cache vulnerabilities. Understanding how caching works is essential to identifying and mitigating these vulnerabilities.
Cache Buster: Technique to force the cache server to load the latest version from the web server.
Cache Key: A unique identifier for cached responses, created from request parameters.
Web Server: Back-end (application framework).
Cache Server: Front-end (e.g., CDN like Akamai, Cloudflare).
Cache Key : unique identifier for a request in the cache server e.g.
Akamai
Cloudflare
Cache Key Variation: Ensure each request has a different cache key by analyzing cache-related headers (e.g., Age
, X-Cache
, Cf-Cache-Status
).
Cacheable Responses: Investigate if the response is cacheable based on user input, CSRF tokens, or query parameters.
Tools: Burp Suite with Reshaper extension for identifying cacheable responses.
Header Fuzzing:
Test headers with different cases, variations (X-Forwarded-Host
, X_Forwarded_Host
, etc.), and multiple headers to find unkeyed headers that might result in cache poisoning.
Headers like X-Forwarded-Host
can sometimes be unkeyed, leading to vulnerabilities like stored XSS or open redirection.
**Bypasses
Query Parameter Fuzzing:Focus on unkeyed query parameters (e.g., utm_.*
, _method
) that the cache server ignores but the web server processes, leading to potential XSS, DoS, or information leakage.
FatGet: Handling GET method with a body
Cache Key Normalization: Handling unencoding of special characters
Path Traversal: Test for path traversal (../
, ..%2F
, etc.) to manipulate cache paths and cache sensitive responses.
Some web administrator configure CDNs to cache e.g. path/* so we can use this to cache something not cacheable e.g. user info OR self-XSS
Self Bugs + Senseetive response -> Cache Deception
.js->file.js-> /.js-> /file.js->.css
Special Characters and Delimiters:
Delimiter: Specify boundaries between different elements in URLs e.g. ;
OR %00
OR %0d
OR %0a
OR %09
etc
Use delimiters like ;
, %00
, %0d
to exploit discrepancies between how cache and origin servers parse requests, leading to cache poisoning.
Discrepancies in how the cache and origin server use characters and strings as delimiters can result in cache deception .
Delimiter discrepancies lead to cache deception: if there is a delimiter I can trick a cache server to cache uncacheable response .
Chain Delimiter discrepancies AND Path traversal -> Cache Deception
Testing for DoS: Exploit cache poisoning for DoS by forcing the cache to serve incorrect or error responses, such as caching empty responses or invalid status codes.
Randomizer: For generating random tokens in requests to help as a cache buster.
Burp session configurations
Burpsuite AND Reshaper: For highlighting cacheable responses.
Configure burpsuite to add custom columns using bambada code e.g.
Age Cf-Cache-Status X-Cache
X-Cacheable
Intruder with NULL payloads: For testing short cache durations (under 5 seconds).
CDN Headers for Debugging:
Akamai: Pragma: akamai-x-check-cacheable
Cloudflare: Fastly-Debug: 1
Web Cache Deception
• Use less known extensions such as .avif
chat.openai[.]com/api/auth/session.css
→ 400
chat.openai[.]com/api/auth/session/test.css
→ 200
What is the difference between web cache poisoning and web cache deception?
In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
Web Cache Poisoning
Online Practice Labs
Web Cache Poisoning Denial of Service
Web Cache Deception
Online Practice Labs
To test for web cache deception try one of the several path confusing payloads as shown below: ● ● ● ● ●
hacktricks ->
to PayPal - 811 upvotes, $9700
to Postmates - 343 upvotes, $500
to Glassdoor - 99 upvotes, $0
to GSA Bounty - 77 upvotes, $750
to Shopify - 72 upvotes, $2900
to OLX - 61 upvotes, $0
to Glassdoor - 55 upvotes, $0
to Discourse - 51 upvotes, $256
to Vanilla - 45 upvotes, $150
to Glassdoor - 43 upvotes, $0
to Smule - 35 upvotes, $0
to Discourse - 33 upvotes, $256
to U.S. Dept Of Defense - 32 upvotes, $0
to Algolia - 30 upvotes, $400
to Shopify - 26 upvotes, $800
to Lyst - 23 upvotes, $0
to Mail.ru - 22 upvotes, $400
to Algolia - 21 upvotes, $0
to Nextcloud - 21 upvotes, $0
to QIWI - 20 upvotes, $0
to Basecamp - 17 upvotes, $1700
to Mail.ru - 17 upvotes, $0
to Acronis - 15 upvotes, $0
to Chaturbate - 14 upvotes, $0
to ok.ru - 13 upvotes, $0
to Kaspersky - 13 upvotes, $0
to U.S. General Services Administration - 13 upvotes, $0
to TikTok - 10 upvotes, $0
to Semrush - 3 upvotes, $0