Hack. Eat. Sleep. Repeat!!!
Web cache deception is a vulnerability that enables an attacker to trick a web cache into storing sensitive, dynamic content. It’s caused by discrepancies between how the cache server and origin server handle requests.In a web cache deception attack, an attacker persuades a victim to visit a malicious URL, inducing the victim’s browser to make an ambiguous request for sensitive content. The cache misinterprets this as a request for a static resource and stores the response. The attacker can then request the same URL to access the cached response, gaining unauthorized access to private information.
GET,HEAD OR OPTIONS as objects that alter state are not always cached.Normalize paths.
Craft a malicious URL that uses the discrepancy to trick the cache into storing a dynamic response. When the victim accesses the URL, their response is stored in the cache. Using Burp, you can then send a request to the same URL to fetch the cached response containing the victim’s data.
As both URL path and any query parameters are typically included in the cache key, you can change the key by adding a query string to the path and changing it each time you send a request. Automate this process using the Param Miner extension. To do this, once you’ve installed the extension, click on the top-level Param miner > Settings menu, then select Add dynamic cachebuster. Burp now adds a unique query string to every request that you make. You can view the added query strings in the Logger tab.
X-Cache: refresh - The cached content was outdated and needed to be refreshed or revalidated.
Cache rules often target static resources by matching common file extensions like .css or .js. This is the default behavior in most CDNs.
.css gets cached since we receive the X-Cache: miss header in our response.my-account/index.css?x=y and using a cache buster which returns the page and exposes the url discrepancy-:<! doctype html>
<html>
<img src="https://0ab1008c04140d638237339a00f200c8.web-security-academy.net/my-account/index.css?cache=busted" width="0" height="0" />
</html>
/profile;foo.css. as a delimiter to specify the response format:Some delimiter characters may be processed by the victim’s browser before it forwards the request to the cache. This means that some delimiters can’t be used in an exploit. For example, browsers URL-encode characters like {, }, <, and >, and use # to truncate the path.If the cache or origin server decodes these characters, it may be possible to use an encoded version in an exploit.
/my-account;index.ico?x=y
<! doctype html>
<html>
<img src="https://0ab0003103cea50c82e1b5cb006700ed.web-security-academy.net/my-account;index.ico?fooz=bar" width="0" height="0" />
</html>
/profile%23wcd.css which decodes to #Cache sees it plainly as /profile%23wcd.css and caches it but the origin server decodes it and sees it as a discrepamcy
/myaccount%3fwcd.css:/static/..%2fprofile:/resources/-:/resources/..%2fmy-account
<! doctype html>
<html>
<img src="https://0a3d005204fb5c738344fc6f003b00b2.web-security-academy.net/resources/..%2fmy-account?foo=bar" width="0" height="0" />
</html>
/<dynamic-path>%2f%2e%2e%2f<static-directory-prefix>
/profile%2f%2e%2e%2fstatic:/static because it url decodes itThe origin server interprets the path as: /profile%2f%2e%2e%2fstatic
For example, consider the payload /profile;%2f%2e%2e%2fstatic. The origin server uses ; as a delimiter:
/resources only but the delimeter pops up because the origin-server decodes #-:/my-account%23%2f%2e%2e%2fresources?x=y
<! doctype html>
<html>
<img src="https://0a0b00bb037199bf8098120f00cc00fa.web-security-academy.net/my-account%23%2f%2e%2e%2fresources?foo=y" width="0" height="0" />
</html>