Keywords

cache miss, cache hit, CDN, cache key, cache rules

Cache

  • Web cache is a system that sits between the origin server and the user. When a client requests a static resource, the request is the first directed to the cache. If the cache doesn’t contain a copy of the resource (cache miss), the request is forwarded to the origin server, which processes and responds to the request. The response is then sent to the cache before being sent to the user. When a request for the same static resource is made in the future, the cache serves the stored copy of the response directly to the user (known as a cache hit).
  • Cache key is used by cache to determine whether to respond to the client or forward the request to the origin server.
  • Cache rules determine what can be cached and for how long. Cache rules are often set up to store static resources, which generally don’t change frequantly and are reused accross multiple pages.

Types of cache rules:

  • Static file extension rules
  • Static directory rules
  • File name rules
  • Custom rules

Web Cache Deception Attack

Web Cache Deception Attacks exploit how cache rules are applied.

Detecting cached responses

The X-Cache header provides information about the cache.

  • X-Cache: hit response was served from the cache
  • X-Cache: miss response was from the origin server*
  • X-Cache: dynamic dynamic content generated
  • X-Cache: refresh cache refreshed, was outdated

The Cache-Control header may include a directive taht indicates caching, like public with a max-age higher than 0.

If the response is slower than usual, this may indicate not cached response, vice versa.

Exploiting static extension cache rules

Default behavior for CDN cache rules match by commoen file extensions like .css or .js etc. If there are discrepeancies in how the cache and the origin server map the URL path to resources or use delimeters, an attacker may be able to craft a request for a dynamic resource with a static extension that is ignored by the origin server but viewed by the cache.

Path mapping discrepancies

Disrepancies in how the cacehe and origin server map the URL path to resources can result in web cache deception vulnerabilities.

Consider the following example:

http://example.com/user/123/profile/wcd.css

  • An origin server using REST-style URL mapping may interpret this as a request for the /user/123/profile endpoint and returns the profile information for user 123, ignoring wcd.css as a non-significant parameter.
  • A cache that uses traditional URL mapping may view this as a request for a file named wcd.css located in the /profile directory under /user/123. It interprets the URL path as /user/123/profile/wcd.css. If the cache is configured to store responses for requests where the path ends in .css, it would cache and serve the profile information as if it were a CSS file.