Web Cache Deception
What is Web Cache Deception?
Web Cache DeceptionAn attack where a malicious URL tricks an intermediary cache into storing a victim's authenticated, sensitive response under a publicly cacheable path.
First documented by Omer Gil in 2017, web cache deception abuses different parsing of paths between the front-end cache and back-end application. The attacker lures an authenticated victim to a URL like /account.php/style.css; the back-end ignores the suffix and returns the victim's account page, while the cache, seeing a .css extension or matching cache rules, stores it as public content. Any attacker can then retrieve the cached file and read the victim's private data. Impact includes session token disclosure and PII leakage. Defences: align path parsing between cache and origin, use Cache-Control: private on authenticated responses, restrict cacheable paths, and add Vary/Authorization handling.
● Examples
- 01
Sending a victim a link to /profile/picture.jpg that the cache treats as static while the app serves /profile.
- 02
Caching a victim's banking dashboard via /dashboard/index.css and downloading it as an attacker.
● Frequently asked questions
What is Web Cache Deception?
An attack where a malicious URL tricks an intermediary cache into storing a victim's authenticated, sensitive response under a publicly cacheable path. It belongs to the Vulnerabilities category of cybersecurity.
What does Web Cache Deception mean?
An attack where a malicious URL tricks an intermediary cache into storing a victim's authenticated, sensitive response under a publicly cacheable path.
How do you defend against Web Cache Deception?
Defences for Web Cache Deception typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Web Cache Deception?
Common alternative names include: WCD, Path-confusion cache attack.