Web Cache Deception

Severity: Critical
Summary#

Invicti detected that the server is vulnerable to Web Cache Deception Attacks.

The server is vulnerable to the so called Web Cache Deception Attack. This is often caused by a non-standard server-side setting overriding recommended Cache-Control directives. Due to the cache misconfiguration, an attacker may send a specially crafted link to users of your site, which will result in the leak of sensitive data.

In a typical Web Cache Deception Attack, an attacker first searches for a web page containing highly sensitive and useful information, such as a settings page or a shopping cart. Even pages with non-sensitive information might be at risk, as they may contain CSRF Tokens, that attackers may use for a Cross-Site-Request-Forgery attack.

Then the attacker uses the acquired link, for example https://example.com/settings.php and appends a path with a file extension, which may look like a static stylesheet or image. This works as many server configurations allow you to append paths to existing files or routes. In this case, it's possible to append these paths to files with the .php extension. Very often this default behaviour is desired and expected, as it allows developers to use REST-style URLs without having to configure complicated rewrite rules. However it also leads to problems. 

The attacker would then send the manipulated link to the victim. Once the victim's browser accesses the URL, it sends along the victim's cookies. So the cache server would receive the request for example for https://example.com/settings.php/stylesheet.css and will treat it as a static stylesheet file. In many environments where aggressive caching is needed to keep the number of requests to the server as low as possible, the cache server may override the Cache-Control header sent by the application and use the public cache control directive for all files ending in .css. This means that the page will be cached for all users of the site, even though its content belongs to a single user and may contain sensitive data.

After a while the attacker checks back on the page, simply by visiting it in a browser. If the victim visited the link, the attacker will be greeted with the same page the victim saw, with the content of https://example.com/settings.php, which may contain their sensitive information, CSRF tokens and more.

Impact#
  • Theft of sensitive information
    • Insecurely stored Credit Card details
    • Addresses
    • Site-Specific information
      • Search history
      • Shopping cart content
  • Carrying out actions on behalf of the user
    • Using CSRF Tokens for a Cross-Site-Request-Forgery attack
  • Account theft
    • Stealing access tokens or plaintext passwords
  • Enabling exploitation of otherwise unexploitable vulnerabilities, such as self-XSS
Remediation#

It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header. 

 

Additionally your cache server should respect the Cache-Control headers set by your application, as they were often set with a specific goal in mind and should not be changed in order to prevent the leak of sensitive information.

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works