Cache means not catch!! Cache its a different means web cache deception its a vulnerability that enables to attacker to store sensitive, dynamic content and its cause by discrepancies between how the cache server and origin server handle the request.
Let's simply describe about this vulnerability and what is it? A web cache system is sit between the origin server and user. If a client request a static resource, the request is first directed to the cache. If the cache doesn't containt a copy of the resource (known as the cache miss) , that time cache is forwarded to the origin server, which process and respond to the request. The response is then sent to the cache before being sent to the user. The cache uses a pre-configured set of rules to determine whether to store the response.
when a request for the same static resources is made in the future, the cache store the saved copy to the response directly to the user (known as a cache hit).
Apart from that you can use even mostly trying to use CDN content delivery networks with the widespread use of CDN , which use caching to store copies of content on distributed servers all over the world. CDN speed of delivery by serving the content from the server closets to the server.
Cache keys
When the cache receives an HTTP request, it must decide whether there is a cached response that it can serve directly, or whether it has to forward the request to the origin server. The cache makes this decision by generating a 'cache key' from elements of the HTTP request. Typically, this includes the URL path and query parameters, but it can also include a variety of other elements like headers and content type.
Cache Rules
# Static file extension rules - These rules match the file extension of the requested resource, for example .css for stylesheets or .js for JavaScript files.
# Static directory rules - These rules match all URL paths that start with a specific prefix. These are often used to target specific directories that contain only static resources, for example /static or /assets.
# File name rules - These rules match specific file names to target files that are universally required for web operations and change rarely, such as robots.txt and favicon.ico.
Detecting cached responses
During testing, it's crucial that you're able to identify cached responses. Diff diff response headers may indicate that it is cached. For example:
The X-Cache header provides information about whether a response was served from the cache. Typical values include:
# X-Cache: hit - The response was served from the cache.
# X-Cache: miss - The cache did not contain a response for the request's key, so it was fetched from the origin server. In most cases, the response is then cached. To confirm this, send the request again to see whether the value updates to hit.
# X-Cache: dynamic - The origin server dynamically generated the content. Generally this means the response is not suitable for caching.
# X-Cache: refresh - The cached content was outdated and needed to be refreshed or revalidated.
The Cache-Control header may include a directive that indicates caching, like public with a max-age higher than 0. Note that this only suggests that the resource is cacheable. It isn't always indicative of caching, as the cache may sometimes override this header.
Exploiting Cache
Cache rules often target static resources by matching common file extensions like .css or .js. This is the default behavior in most CDNs.
If there are discrepancies in how the cache and origin server map the URL path to resources or use delimiters, an attacker may be able to craft a request for a dynamic resource with a static extension that is ignored by the origin server but viewed by the cache
http://example.com/user/123/profile/abc.js
An origin server using REST-style URL mapping may interpret this as a request for the /user/123/profile endpoint and returns the profile information for user 123, ignoring abc.js as a non-significant parameter.
A cache that uses traditional URL mapping may view this as a request for a file named abc.js located in the /profile directory under /user/123. It interprets the URL path as /user/123/profile/abc.js. If the cache is configured to store responses for requests where the path ends in .js, it would cache and serve the profile information as if it were a JS or CSS file.
Caches may have rules based on specific static extensions. Try a range of extensions, including .css, .ico, and .exe.
Now its time to do complete the Lab and Learn in practical mode - Be practice - CLICK Here
Lets do this first of all whatever you want to use proxy but you can use FoxyProxy. Its a extension for Burp suite and working as a proxy. You can easily add the extension for chrome or mozila whatever you want to use in diff diff browser.
Lets enable this -
After enabiling Proxy setup, Open burp suite and do intercept option start.
After that we have to go my account option and simple see in your burp suite , its intercept the URL in burp suite.
But you can not get easily anything, but never give up. so simple proced with below the ULR as you can see this. After some seconds you have to turn off the proxy and go to burp suite.
as you can see in below image (need to go in HTTP proxy tab) request has arrived. GET /my-account and see the request tab.
Cache Poisioning It's important to distinguish web cache deception from web cache poisoning. While both exploit caching mechanisms, But its a little bit different. - Create your own Arp cache poisioning - CLICK HERE
Then, go back to web page (lab page) and simple type the username and password wiener : peter and again Turn on the proxy and intercept the HTTP request .
Login is done now if you want you can turn off the proxy in chrome browser (by the way why i am doing this again n again n again because of you have to intercept what you wanted to but sometimes the page still keeps loading thats why)
Now you will see that you have got API
Now on that same page edit the URL and simple add the some kind of JS or CSS extension file name like (in our case 12.js) and hit enter.
https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js
and you will see there its intercepting the HTTP request in burp suite.
Simply click on it and see the response x-cache miss and after that send into repeater.
As i have to told you above about x-cache : miss & x-cache : hit. Please be carefully to read the each and every sentence.
After that in repeater tab you simply send the request if you have to see like again x-cache : miss in response side then wait 30-40 seconds and send again the request and see the response.
After 30-40 sec you need to try again to send the request and see the response in right side. Now you can see that x-cache : hit (The response was served from the cache.)
Now copy the whole URL and turn off the proxy and go to exploit server options page.
and copy our code and paste into body section.
<script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js"</script>
Or you reverse the js file name like that
<script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/21.js"</script>
Then, Delivery exploit to victim.
after that click on View exploit OR simple copy the <script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js"</script>
and open in new tab browser.
Notice that the response includes the API key for carlos. Copy this.
Click Submit solution, then submit the API key for carlos to solve the lab.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.