Web Cache Deception
Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it.
- CloudFlare Caching
- PortSwigger/param-miner > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
Example of Web Cache Deception:
Imagine an attacker lures a logged-in victim into accessing
- The victim's browser requests the resource
- The requested resource is searched for in the cache server, but it's not found (resource not in cache).
- The request is then forwarded to the main server.
- The main server returns the content of
http://www.example.com/home.php, most probably with HTTP caching headers that instruct not to cache this page.
- The response passes through the cache server.
- The cache server identifies that the file has a CSS extension.
- Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it.
- When the attacker requests
http://www.example.com/home.php/non-existent.css, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive
Methodology - Caching Sensitive Data
Example 1 - Web Cache Deception on PayPal Home Page
1. Normal browsing, visit home :
2. Open the malicious link :
3. The page is displayed as /home and the cache is saving the page
4. Open a private tab with the previous URL :
5. The content of the cache is displayed
Example 2 - Web Cache Deception on OpenAI
1. Attacker crafts a dedicated .css path of the
2. Attacker distributes the link
3. Victims visit the legitimate link.
4. Response is cached.
5. Attacker harvests JWT Credentials.
- Find an un-keyed input for a Cache Poisoning
- Cache poisoning attack - Example for
X-Forwarded-Hostun-keyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
CloudFlare caches the resource when the
Cache-Control header is set to
max-age is greater than 0.
- The Cloudflare CDN does not cache HTML by default
- Cloudflare only caches based on file extension and not by MIME type: cloudflare/default-cache-behavior
CloudFlare has a list of default extensions that gets cached behind their Load Balancers.
- Web Cache Deception Attack - Omer Gil
- Practical Web Cache Poisoning - James Kettle @albinowax
- Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle @albinowax
- Web Cache Deception Attack leads to user info disclosure - Kunal pandey - Feb 25
- Web cache poisoning - Web Security Academy learning materials
- Exploiting cache design flaws
- Exploiting cache implementation flaws
- OpenAI Account Takeover - @naglinagli - Mar 24, 2023
- Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli