TL;DR

  • Trick the cache into storing dynamic, sensitive responses.
  • Exploit path parsing discrepancies between cache and origin.
  • Use cache busters to avoid stale data while testing.

What It Is

Web cache deception happens when a cache treats a dynamic response as a static asset and stores it. An attacker can then request the cached URL and retrieve the victim's data.

Typical Steps

  1. Find a dynamic endpoint with sensitive data.
  2. Identify path parsing differences (delimiters, normalization, extensions).
  3. Craft a URL that the cache treats as static.
  4. Use a victim session to populate the cache.
  5. Fetch the same URL and retrieve cached data.

Cache Buster Tip

Use unique query strings while testing to avoid reading cached responses.

Difference vs Cache Poisoning

  • Cache poisoning injects malicious content into shared cache entries.
  • Cache deception stores a victim's private response under a cacheable URL.