Web Caching Vulnerabilities

CWE-524: Use of Cache Containing Sensitive Information

Intro

Web caching is a technique used to improve the performance and efficiency of websites by storing copies of frequently accessed content closer to the user. Instead of generating the same content repeatedly, cache servers store this content and deliver it directly to users upon subsequent requests. This reduces the load on the web server, decreases response times, and conserves bandwidth. Caching can occur at various levels, such as within a Content Delivery Network (CDN), in a browser, or at an intermediary proxy.

However, if caching is misconfigured or vulnerable, attackers can exploit it to manipulate cached content, bypass security policies, or cause sensitive information to be stored and served to unintended users. This introduces a range of security risks known as web cache vulnerabilities. Understanding how caching works is essential to identifying and mitigating these vulnerabilities.

key Concepts

  • Cache Buster: Technique to force the cache server to load the latest version from the web server.

  • Cache Key: A unique identifier for cached responses, created from request parameters.

  • Web Server: Back-end (application framework).

  • Cache Server: Front-end (e.g., CDN like Akamai, Cloudflare).

Caching flow

If cache key not exist

If Exist

Cache Keys in common CDNs

Cache Key : unique identifier for a request in the cache server e.g.

  • Akamai

  • Cloudflare

Testing Web Cache Vulnerabilities:

  1. Cache Key Variation: Ensure each request has a different cache key by analyzing cache-related headers (e.g., Age, X-Cache, Cf-Cache-Status).

  2. Cacheable Responses: Investigate if the response is cacheable based on user input, CSRF tokens, or query parameters.

    • Tools: Burp Suite with Reshaper extension for identifying cacheable responses.

  3. Header Fuzzing:

    • Test headers with different cases, variations (X-Forwarded-Host, X_Forwarded_Host, etc.), and multiple headers to find unkeyed headers that might result in cache poisoning.

    • Headers like X-Forwarded-Host can sometimes be unkeyed, leading to vulnerabilities like stored XSS or open redirection.

**Bypasses

X-Forwarded-Host
X-FORWARDED-HOST
x-forwarded-host
X_Forwarded_Host
X-Forwarded-Host :

//  Double Header
X-Forwarded-Host
X-Forwarded-Host
  1. Query Parameter Fuzzing:Focus on unkeyed query parameters (e.g., utm_.*, _method) that the cache server ignores but the web server processes, leading to potential XSS, DoS, or information leakage.

  2. FatGet: Handling GET method with a body

  3. Cache Key Normalization: Handling unencoding of special characters

  4. Path Traversal: Test for path traversal (../, ..%2F, etc.) to manipulate cache paths and cache sensitive responses.

    ⚠️ Static Cache Response OR Dynamic Cache Response !

    Some web administrator configure CDNs to cache e.g. path/* so we can use this to cache something not cacheable e.g. user info OR self-XSS

  5. Self Bugs + Senseetive response -> Cache Deception

    .js->file.js-> /.js-> /file.js->.css

  6. Special Characters and Delimiters:

    user\xFUZZ
    user\xFUZZ.js
    user%FUZZ
    user%FUZZ.js
    user%25%FUZZ
    user%25%FUZZ.js
    user%25%25%FUZZ
    user%25%25%FUZZ.js
    user%FUZZ%FUZZ
    user%FUZZ%FUZZ.js
    • Delimiter: Specify boundaries between different elements in URLs e.g. ; OR %00 OR %0d OR %0a OR %09 etc

    • Use delimiters like ;, %00, %0d to exploit discrepancies between how cache and origin servers parse requests, leading to cache poisoning.

    • Discrepancies in how the cache and origin server use characters and strings as delimiters can result in cache deception .

  7. Delimiter discrepancies lead to cache deception: if there is a delimiter I can trick a cache server to cache uncacheable response .

  8. Chain Delimiter discrepancies AND Path traversal -> Cache Deception

  9. Testing for DoS: Exploit cache poisoning for DoS by forcing the cache to serve incorrect or error responses, such as caching empty responses or invalid status codes.

Tools & Extension:

  • Randomizer: For generating random tokens in requests to help as a cache buster.

    • Burp session configurations

  • Burpsuite AND Reshaper: For highlighting cacheable responses.

Configure burpsuite to add custom columns using bambada code e.g.

Age Cf-Cache-Status X-Cache

X-Cacheable

  • Intruder with NULL payloads: For testing short cache durations (under 5 seconds).

  • CDN Headers for Debugging:

    • Akamai: Pragma: akamai-x-check-cacheable

    • Cloudflare: Fastly-Debug: 1

Web Cache Deception

To test for web cache deception try one of the several path confusing payloads as shown below: ● example.com/nonexistent.cssexample.com/%0nonexistent.cssexample.com/%3Bnonexistent.cssexample.com/%23nonexistent.cssexample.com/%3Fname=valnonexistent.css

Use less known extensions such as .avif

chat.openai[.]com/api/auth/session.css → 400

chat.openai[.]com/api/auth/session/test.css → 200

Omer Gil: Web Cache Deception Attack

The difference

What is the difference between web cache poisoning and web cache deception?

  • In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.

  • In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.

Resources AND Practice Labs

Web Cache Poisoning

Online Practice Labs

Web Cache Poisoning Denial of Service

Web Cache Deception

Online Practice Labs

Top Web Cache reports from HackerOne:

  1. DoS on PayPal via web cache poisoning to PayPal - 811 upvotes, $9700

  2. Web Cache Poisoning leads to Stored XSS to Glassdoor - 99 upvotes, $0

  3. Web Cache Poisoning leads to XSS and DoS to Glassdoor - 55 upvotes, $0

  4. Web Cache Deception Attack (XSS) to Discourse - 33 upvotes, $256

  5. Web Cache Poisoning on █████ to U.S. Dept Of Defense - 32 upvotes, $0

  6. Web Cache Deception Attack (XSS) to Algolia - 21 upvotes, $0

  7. Web Cache Poisoning to Mail.ru - 17 upvotes, $0

  8. Web cache poisoning at www.acronis.com to Acronis - 15 upvotes, $0

  9. Web Cache Poisoning leading to DoS to U.S. General Services Administration - 13 upvotes, $0

Last updated

Was this helpful?