Support Security Links

Tools

Method

Bypass Client/Server Side Filter

HTTP Rate Limit Bypass

Virtual Hosts (VHOSTS) Enumeration

WAF (Web Application Firewall) Detection

Web Basic Pentesting

Web Content Discovery

Web Login Bypass

Web Registration (Signup) Attack

Web Server Security Misconfiguration

Security Risk

Broken Access Control

Business Logic Attack

CORS (Cross-Origin Resource Sharing) Attack

CRLF (Carriage Return Line Feed) Injection

CSRF (Cross-Site Request Forgery)

Client-Side JavaScript Validation Bypass

Directory (Path) Traversal

File Inclusion (LFI/RFI)

File Upload Attack

File Upload Attack on Exiftool

File Upload Attack on ImageMagick

HTTP Header Injection

HTTP Request Smuggling

Host Header Attack

IDOR (Insecure Direct Object References) Attack

Insecure Deserialization

JSON.NET Deserialization

LaTeX Injection

NoSQL Injection

Node.js Deserialization Attack

OS Command Injection

PHP Filters Chain

PHP Object Injection

Prototype Pollution in Client-Side

Prototype Pollution in Server-Side

SQL Injection Cheat Sheet

SQL Injection with Sqlmap

SSRF (Server-Side Request Forgery)

SSTI (Server-Side Template Injection)

Web Cache Deception

Web Cache Poisoning

Web Race Condition Attack

XSS (Cross-Site Scripting)

XSS with Dynamic PDF

XST (Cross-Site Tracing)

XXE (XML External Entity)

wkhtmltopdf SSRF

Cookie

Cookie Hijacking

Session Fixation

CMS

Bolt CMS Pentesting

CMS (Content Management System) Pentesting

Cockpit CMS Pentesting

Concrete CMS Pentesting

FUEL CMS Pentesting

Joomla CMS Pentesting

Mara CMS Pentesting

Subrion CMS Pentesting

TYPO3 Pentesting

WordPress Pentesting

Framework

AJP (Apache JServ Protocol) Pentesting

Angular Pentesting

Apache Struts Pentesting

Django Pentesting

Flask Jinja2 Pentesting

Python Pickle RCE

Ruby on Rails Pentesting

Spring Cloud Function RCE

Spring Pentesting

Tornado Pentesting

Werkzeug Pentesting

Template Engine

JsRender Template Injection

API

GraphQL Pentesting

Cloud

AWS (Amazon Web Services) Pentesting

Spring Cloud Function RCE

Microsoft

Microsoft Exchange Server Pentesting

Tool

Add Custom HTTP Headers in Burp Suite

Automate Sequence Requests with Burp Intruder

Burp Suite Troubleshooting

File Upload Attack on Exiftool

How to Use OWASP ZAP

Integrate Burp Request and SQLmap

SOCKS Proxy in Burp Suite

Turbo Intruder in Burp Suite

Others

Apache ActiveMQ Pentesting

Apache Tomcat Pentesting

Apache Zeppelin Pentesting

Atlassian Confluence Pentesting

Bookmarklet Attack

Broken Link Hijacking

Browser in the Browser (BITB) Attack

Cacti Pentesting

Captcha Bypass with OCR

ClipBucket Pentesting

Code Deobfuscation

Codiad Pentesting

Dump Git Repository from Website

Extract Web Browser Passwords

GhostScript Pentesting

Grafana Pentesting

HashiCorp Consul Pentesting

Icinga Web Pentesting

JBOSS Pentesting

JWT (Json Web Token) Pentesting

Java RMI Pentesting

Jenkins Pentesting

LimeSurvey Pentesting

Log4j Pentesting

OpenCATS Pentesting

PHP RCE Cheat Sheet

PHP Srand Time Abusing

PHP hash_hmac Bypass

Restaurant Management System (RMS) Pentesting

TeamCity Pentesting

Tiny File Manager Pentesting

Web Browser Settings for Pentesting

Web PHP Pentesting

WebAnno Pentesting

WebDAV Pentesting

WebSocket Pentesting

Webmin Pentesting

Web Cache Deception

Last modified: 2024-08-20

Web Cache Deception is a technique that deceives a web cache proxy to store/steal unexpected data such as user’s sensitive data.

Enumeration

1. Find Pages Containing Sensitive Information

Fist of all, we need to find pages that contain sensitive data to steal. For example,

User profile page
API key settings page

If the response contains these secret information, it’s worth to try the web cache deception. Our goal is to steal victim’s information by abusing the cache.

2. Identify Discrepancies

Path Mapping

Assume that we’ve found API key settings page (/api). Modify the path for adding the extension (/api/abc.js) and send request, then check if the response content is the same as the /api and look at the value of the X-Cache response header:
- X-Cache: miss : The response was NOT served from the cache.
- X-Cache: hit : The response was served from the cache.
If the X-Cache header does not exist, the website may not be vulnerable to Web Cache Deception.
If the X-Cache value is miss, we try to send the same request again and check if the X-Cache value changes to hit.
If the X-Cache value becomes hit , it indicates that the response data has been stored into the cache. This means that anyone who sends a request to this path will be able to see what is stored in the cache until expiration.
Characters Used as Deilimiters

To find characters that are used as delimiters by the origin server, enumerate characters as below. We can refers the PortSwigger’s awesome list.
```
/api!abc.js
/api"abc.js
/api#abc.js
/api?abc.js
/api%00abc.js
...


/api%21abc.js
/api%22abc.js
/api%23abc.js
/api%3Fabc.js
...
```
Path Normalization Discrepancies

If the website serves static files under some directory, we can abuse it:
```
/assets/..%2fapi
/js/..%2fapi
/static/..%2fapi
/resources/..%2fapi
```

Exploit

Guide Victims to Send Request for Storing Data in the Cache

To steal victims sensitive information, we have to guide victims to send request to /api/xxx.js or other path for storing their data. There are several ways to achieve this:

XSS
CSRF
Phishing

In the techniques above, we can craft malicious code to make victims to send request to arbitrary path. Please note that we must not specify the path that we've already sent (e.g. "/profile/api/abc.js" as above) because the response of the path is served from the cache storing our sensitive information, so victims can see them.

<script>document.location="https://vulnerable.com/api/xxx.js"</script>

After the victim sends request to this path, the victim’s sensitive information is stored in the cache, so we can see it by requesting /api/xxx.js.

References

https://portswigger.net/web-security/web-cache-deception

ON THIS PAGE

Enumeration Exploit