What is the difference between web cache poisoning and web cache deception?
In web cache poisoning, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users. In web cache deception, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
X-Forwarded-For
to indicate the client to load script from there:X-Cache
in the response could be very useful as it may have the value miss
when the request wasn't cached and the value hit
when it is cached.
The header Cache-Control
is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: Cache-Control: public, max-age=1800
Another interesting header is Vary
. This header is often used to indicate additional headers that are treated as part of the cache key even if they are normally unkeyed. Therefore, if the user knows the User-Agent
of the victim he is targeting, he can poison the cache for the users using that specific User-Agent
.
One more header related to the cache is Age
. It defines the times in seconds the object has been in the proxy cache.X-Forwarded-For
is being reflected in the response unsanitized>
You can send a basic XSS payload and poison the cache so everybody that access page will be XSSed:/en?region=uk
not to /en
X-Forwarded-Host
to a domain controlled by you and X-Forwarded-Scheme
to http
.If the server is forwarding all the HTTP requests to HTTPS and using the header X-Forwarded-Scheme
as domain name for the redirect. You can control where the pagepointed by the redirect.Vary
headerX-Host
header is being used as domain name to load a JS resource but the Vary
header in the response is indicating User-Agent
. Then, you need to find a way to ex-filtrate the User-Agent of the victim and poison the cache using that user agent:wcvs -u example.com
.css
, .js
, .png
etc are usually configured to be saved in the cache. Therefore, if you access w_ww.example.com/profile.php/nonexistent.js_ the cache will probably store the response because it sees the .js
extension. But, if the application is replaying with the sensitive user contents stored in www.example.com/profile.php, you can steal those contents from other users.text/html
content-type instead of a text/css
mime type (which is the expected for a .css file).