BIPI
BIPI

Web Cache Deception in 2023: Path Confusion and Header Tricks

Cybersecurity

Cache deception turns a CDN into a sensitive data leak. We cover delimiter confusion, file extension tricks, header based variants, and the Akamai, Cloudflare, and Varnish configurations that make it work.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 14, 2023 · 10 min read

#cache-deception#cdn#pentesting#akamai#cloudflare

The original Gigon attack

Browser visits /account/profile/aaa.css. The origin ignores the suffix and returns the victim profile. The CDN sees a .css extension and caches the response as static. Anyone visiting the same URL after gets the cached HTML with the victim data.

Path normalization variants

Different cache and origin pairs disagree on delimiters. /account/profile;.css, /account/profile/%2e%2e/x.css, /account/profile%00.css, /account/profile/.css all behave differently. The bug is in the gap between cache rules and origin routing.

  • Semicolon path parameters, supported by Java Tomcat, ignored by some CDNs
  • Encoded slash %2f, normalized by some layers and not others
  • Backslash in URL, treated as separator by some origins
  • Double encoded null byte, truncates origin path but not cache key

Header based deception

Cache keys often exclude headers like Accept or Accept-Encoding. Send Accept: text/html with one request and Accept: application/json with another. If the cache stores the first and serves it to the second, you have header confusion that can leak across content types.

Cache poisoning meets deception

The X-Forwarded-Host, X-Original-URL, and X-Rewrite-URL headers can change the response while not being part of the cache key. Send a poisoned header from your session, then victims pull your poisoned response when they request the same URL.

Discovery workflow

  1. Identify endpoints that return user specific data without Cache-Control: private
  2. Append static extensions, /endpoint/anything.css, .js, .png, .woff
  3. Check response headers, look for X-Cache: HIT after a second request from a different session
  4. Confirm leak by visiting the crafted URL while logged out

Tooling

Param Miner Burp extension for cache key analysis, smuggler.py for HTTP request smuggling combinations, and a simple curl loop with X-Cache header inspection. Akamai and Cloudflare each have CDN debug headers you can request.

Detection

  • Unexpected static extensions hitting dynamic routes in origin logs
  • Cache HIT ratio anomalies on user specific endpoints
  • Burst of requests with rare header combinations

Remediation

  1. Set Cache-Control: private, no-store on every authenticated response by default
  2. Allowlist cacheable paths at the CDN, deny everything else
  3. Normalize paths consistently between CDN and origin, reject ambiguous ones
  4. Include security relevant headers in the cache key or vary on them
$1.4M+
Reported cache deception bounties in 2022
<40%
Apps with default private cache headers
If your CDN caches anything ending in .css, an attacker will find a route where .css does not mean what you think.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.