CyberGlossary

Vulnerabilities

Web Cache Deception

Also known as: WCD, Path-confusion cache attack

Definition

An attack where a malicious URL tricks an intermediary cache into storing a victim's authenticated, sensitive response under a publicly cacheable path.

First documented by Omer Gil in 2017, web cache deception abuses different parsing of paths between the front-end cache and back-end application. The attacker lures an authenticated victim to a URL like /account.php/style.css; the back-end ignores the suffix and returns the victim's account page, while the cache, seeing a .css extension or matching cache rules, stores it as public content. Any attacker can then retrieve the cached file and read the victim's private data. Impact includes session token disclosure and PII leakage. Defences: align path parsing between cache and origin, use Cache-Control: private on authenticated responses, restrict cacheable paths, and add Vary/Authorization handling.

Examples

  • Sending a victim a link to /profile/picture.jpg that the cache treats as static while the app serves /profile.
  • Caching a victim's banking dashboard via /dashboard/index.css and downloading it as an attacker.

Related terms