mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 13:25:27 +00:00
1.3 KiB
1.3 KiB
Web Cache Deception Attack
Exploit
- Browser requests
http://www.example.com/home.php/non-existent.css
. - Server returns the content of
http://www.example.com/home.php
, most probably with HTTP caching headers that instruct to not cache this page. - The response goes through the proxy.
- The proxy identifies that the file has a css extension.
- Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
Methodology of the attack - example
- Normal browsing, visit home :
https://www.example.com/myaccount/home/
- Open the malicious link :
https://www.example.com/myaccount/home/malicious.css
- The page is displayed as /home and the cache is saving the page
- Open a private tab with the previous URL :
https://www.paypal.com/myaccount/home/malicous.css
- The content of the cache is displayed
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page