Web Cache Deception

Web Cache Deception is an attack that tricks a cache into storing a victim's sensitive, dynamic content by exploiting URL parsing inconsistencies between the cache and the application server.

How It Works

The attacker crafts a URL that the application interprets as a dynamic page (serving personalized content) but the cache interprets as a static resource (and caches it). When the victim visits this URL, their sensitive data gets cached and becomes accessible to the attacker.

Attack Flow

1. Attacker crafts malicious URL:
   https://example.com/account/settings/nonexistent.css

2. Attacker sends link to victim (phishing, social engineering)

3. Victim clicks link while authenticated
   - App server: Ignores "nonexistent.css", serves /account/settings
   - Response contains victim's personal data

4. Cache: Sees .css extension, caches the response

5. Attacker requests same URL (unauthenticated)
   - Cache serves cached response containing victim's data

URL Parsing Differences

# Various path confusion techniques
/account/settings/anything.css
/account/settings/..%2fnonexistent.css
/account/settings;nonexistent.css
/account/settings%00.css

Stolen Data Examples

• Personal information
• Session tokens
• CSRF tokens
• API keys in page content
• Financial information

Prevention

• Configure cache to only cache specific static paths
• Use Cache-Control: no-store for sensitive pages
• Ensure consistent URL parsing between cache and application

See Also

• Web Cache Poisoning
• Cache Key Manipulation