Skip to content

Adding Cache Deception category #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nnons merged 1 commit into from
Mar 11, 2025
Merged

Adding Cache Deception category #557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions ...description/server_security_misconfiguration/cache_deception/recommendations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Recommendation(s)

The most effective way to prevent cache deception is to carefully control which responses are cached and to avoid caching responses that contain user-specific or sensitive data.

Ensure that authentication-protected pages and any responses containing sensitive information explicitly disable caching via headers such as `Cache-Control: no-store, no-cache, must-revalidate` and `Pragma: no-cache`.

Be particularly cautious with URL structures. Cache deception attacks often rely on tricking the cache into treating dynamic responses as static. A simple mitigation is to ensure that URLs ending in extensions like `.css`, `.js`, `.png`, etc., only serve static content and do not process dynamic requests.

For additional protection, configure your cache layer to only cache responses from a predefined allowlist of safe URL patterns. This prevents attackers from injecting deceptive paths that lead to cached sensitive data.

Auditing your cache behavior using tools like Param Miner or manual testing can help identify and eliminate unintended caching of sensitive responses. Additionally, security headers such as `X-Content-Type-Options: nosniff` can help prevent certain forms of cache-related attacks.

Finally, if your application uses a CDN or a reverse proxy (e.g., Cloudflare, Akamai, Varnish), ensure that caching rules are correctly configured to prevent caching of personalized or user-specific content.

For more information, refer to the following resource:
<https://portswigger.net/web-security/web-cache-deception>
25 changes: 25 additions & 0 deletions ...ssions/description/server_security_misconfiguration/cache_deception/template.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
Cache deception allows an attacker to serve fake static files, forcing the web server to mistakenly cache and serve dynamic content as though it were static. If subsequent users make requests to the same URL, they are served the cached page. This can lead to sensitive data exposure for multiple users across different sessions.

**Business Impact**

This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust.

**Steps to Reproduce**

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
1. Use a browser to navigate to the following url: {{URL}}
1. Intercept the request in the HTTP interception Proxy and change HTTP header: {{value}} to {{value}}
1. Forward the following request to the endpoint:

```HTTP
{{request}}
```

1. Notice that the following page is cached: {{screenshot}}
1. Perform {{action}} to demonstrate cache deception

**Proof of Concept (PoC)**

The screenshot(s) below demonstrate(s) this vulnerability:

{{screenshot}}