Web Caching Vulnerabilities

CWE-524: Use of Cache Containing Sensitive Information

Intro

Web caching is a technique used to improve the performance and efficiency of websites by storing copies of frequently accessed content closer to the user. Instead of generating the same content repeatedly, cache servers store this content and deliver it directly to users upon subsequent requests. This reduces the load on the web server, decreases response times, and conserves bandwidth. Caching can occur at various levels, such as within a Content Delivery Network (CDN), in a browser, or at an intermediary proxy.

However, if caching is misconfigured or vulnerable, attackers can exploit it to manipulate cached content, bypass security policies, or cause sensitive information to be stored and served to unintended users. This introduces a range of security risks known as web cache vulnerabilities. Understanding how caching works is essential to identifying and mitigating these vulnerabilities.

key Concepts

• Cache Buster: Technique to force the cache server to load the latest version from the web server.

• Cache Key: A unique identifier for cached responses, created from request parameters.

• Web Server: Back-end (application framework).

• Cache Server: Front-end (e.g., CDN like Akamai, Cloudflare).

Caching flow

If cache key not exist

If Exist

Cache Keys in common CDNs

Cache Key : unique identifier for a request in the cache server e.g.

• Akamai

• Cloudflare

Testing Web Cache Vulnerabilities:

1. Cache Key Variation: Ensure each request has a different cache key by analyzing cache-related headers (e.g., Age, X-Cache, Cf-Cache-Status).

2. Cacheable Responses: Investigate if the response is cacheable based on user input, CSRF tokens, or query parameters.

   • Tools: Burp Suite with Reshaper extension for identifying cacheable responses.

3. Header Fuzzing:

   • Test headers with different cases, variations (X-Forwarded-Host, X_Forwarded_Host, etc.), and multiple headers to find unkeyed headers that might result in cache poisoning.

   • Headers like X-Forwarded-Host can sometimes be unkeyed, leading to vulnerabilities like stored XSS or open redirection.

**Bypasses

X-Forwarded-Host
X-FORWARDED-HOST
x-forwarded-host
X_Forwarded_Host
X-Forwarded-Host :

//  Double Header
X-Forwarded-Host
X-Forwarded-Host

1. Query Parameter Fuzzing:Focus on unkeyed query parameters (e.g., utm_.*, _method) that the cache server ignores but the web server processes, leading to potential XSS, DoS, or information leakage.

2. FatGet: Handling GET method with a body

   

   
3. Cache Key Normalization: Handling unencoding of special characters

   
4. Path Traversal: Test for path traversal (../, ..%2F, etc.) to manipulate cache paths and cache sensitive responses.

   ⚠️ Static Cache Response OR Dynamic Cache Response !

   Some web administrator configure CDNs to cache e.g. path/* so we can use this to cache something not cacheable e.g. user info OR self-XSS

   
5. Self Bugs + Senseetive response -> Cache Deception

   .js->file.js-> /.js-> /file.js->.css

   
6. Special Characters and Delimiters:

   user\xFUZZ
   user\xFUZZ.js
   user%FUZZ
   user%FUZZ.js
   user%25%FUZZ
   user%25%FUZZ.js
   user%25%25%FUZZ
   user%25%25%FUZZ.js
   user%FUZZ%FUZZ
   user%FUZZ%FUZZ.js

   • Delimiter: Specify boundaries between different elements in URLs e.g. ; OR %00 OR %0d OR %0a OR %09 etc

   • Use delimiters like ;, %00, %0d to exploit discrepancies between how cache and origin servers parse requests, leading to cache poisoning.

   • Discrepancies in how the cache and origin server use characters and strings as delimiters can result in cache deception .

     
7. Delimiter discrepancies lead to cache deception: if there is a delimiter I can trick a cache server to cache uncacheable response .

   

   https://x.com/_ayoubfathi_/status/1639637351042359296

   

   
8. Chain Delimiter discrepancies AND Path traversal -> Cache Deception

   

   

   
9. Testing for DoS: Exploit cache poisoning for DoS by forcing the cache to serve incorrect or error responses, such as caching empty responses or invalid status codes.

Tools & Extension:

• Randomizer: For generating random tokens in requests to help as a cache buster.

  • Burp session configurations

• Burpsuite AND Reshaper: For highlighting cacheable responses.

Configure burpsuite to add custom columns using bambada code e.g.

Age Cf-Cache-Status X-Cache

X-Cacheable

• Intruder with NULL payloads: For testing short cache durations (under 5 seconds).

• CDN Headers for Debugging:

  • Akamai: Pragma: akamai-x-check-cacheable

  • Cloudflare: Fastly-Debug: 1

Web Cache Deception

To test for web cache deception try one of the several path confusing payloads as shown below: ● example.com/nonexistent.css ● example.com/%0nonexistent.css ● example.com/%3Bnonexistent.css ● example.com/%23nonexistent.css ● example.com/%3Fname=valnonexistent.css

• Use less known extensions such as .avif

chat.openai[.]com/api/auth/session.css → 400

chat.openai[.]com/api/auth/session/test.css → 200

Omer Gil: Web Cache Deception Attack

The difference

What is the difference between web cache poisoning and web cache deception?

• In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.

• In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.

Resources AND Practice Labs

Beyond Web Caching VulnerabilitiesMedium

Web Cache Poisoning

• https://portswigger.net/research/practical-web-cache-poisoning

• https://portswigger.net/research/web-cache-entanglement

Online Practice Labs

• https://portswigger.net/web-security/all-labs#web-cache-poisoning

Web Cache Poisoning Denial of Service

• https://cpdos.org/

• https://portswigger.net/research/responsible-denial-of-service-with-web-cache-poisoning

• https://youst.in/posts/cache-poisoning-at-scale/

• https://zhero-web-sec.github.io/research-and-things/nextjs-and-cache-poisoning-a-quest-for-the-black-hole

Web Cache Deception

• https://www.usenix.org/conference/usenixsecurity20/presentation/mirheidari

• https://www.usenix.org/conference/usenixsecurity22/presentation/mirheidari

• https://portswigger.net/research/gotta-cache-em-all

Online Practice Labs

• https://portswigger.net/web-security/all-labs#web-cache-deception

• https://portswigger.net/web-security/web-cache-poisoning

• hacktricks -> https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/cache-deception.md

• https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities

• https://hackerone.com/reports/593712

• https://youst.in/posts/cache-poisoning-at-scale/

• https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9

Top Web Cache reports from HackerOne:

1. DoS on PayPal via web cache poisoning to PayPal - 811 upvotes, $9700

2. Web cache poisoning attack leads to user information and more to Postmates - 343 upvotes, $500

3. Web Cache Poisoning leads to Stored XSS to Glassdoor - 99 upvotes, $0

4. Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS to GSA Bounty - 77 upvotes, $750

5. https://themes.shopify.com::: Host header web cache poisoning lead to DoS to Shopify - 72 upvotes, $2900

6. web cache deception in https://tradus.com lead to name/user_id enumeration and other info to OLX - 61 upvotes, $0

7. Web Cache Poisoning leads to XSS and DoS to Glassdoor - 55 upvotes, $0

8. CSRF-tokens on pages without no-cache headers, resulting in ATO when using CloudFlare proxy (Web Cache Deception) to Discourse - 51 upvotes, $256

9. Web cache deception attack on https://open.vanillaforums.com/messages/all to Vanilla - 45 upvotes, $150

10. [https://www.glassdoor.com] - Web Cache Deception Leads to gdtoken Disclosure to Glassdoor - 43 upvotes, $0

11. Web cache poisoning leads to disclosure of CSRF token and sensitive information to Smule - 35 upvotes, $0

12. Web Cache Deception Attack (XSS) to Discourse - 33 upvotes, $256

13. Web Cache Poisoning on █████ to U.S. Dept Of Defense - 32 upvotes, $0

14. Web Cache Deception vulnerability on algolia.com leads to personal information leakage to Algolia - 30 upvotes, $400

15. Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage to Shopify - 26 upvotes, $800

16. Web Cache poisoning attack leads to User information Disclosure and more to Lyst - 23 upvotes, $0

17. Web cache information leakage at sbermarket.ru to Mail.ru - 22 upvotes, $400

18. Web Cache Deception Attack (XSS) to Algolia - 21 upvotes, $0

19. https://help.nextcloud.com::: Web cache poisoning attack to Nextcloud - 21 upvotes, $0

20. [*.rocketbank.ru] Web Cache Deception & XSS to QIWI - 20 upvotes, $0

21. HTTP request smuggling on Basecamp 2 allows web cache poisoning to Basecamp - 17 upvotes, $1700

22. Web Cache Poisoning to Mail.ru - 17 upvotes, $0

23. Web cache poisoning at www.acronis.com to Acronis - 15 upvotes, $0

24. Web cache deception attack - expose token information to Chaturbate - 14 upvotes, $0

25. [okmedia.insideok.ru] Web Cache Poisoing & XSS to ok.ru - 13 upvotes, $0

26. Several domains on kaspersky.com are vulnerable to Web Cache Deception attack to Kaspersky - 13 upvotes, $0

27. Web Cache Poisoning leading to DoS to U.S. General Services Administration - 13 upvotes, $0

28. Information Leakage via TikTok Ads Web Cache Deception to TikTok - 10 upvotes, $0

29. Web cache deception attack - expose earning state information to Semrush - 3 upvotes, $0