Name: Performing Web Cache Deception Attack
Author: mukul975

When to Use

When testing applications behind CDNs or reverse proxies (Cloudflare, Akamai, Varnish, Nginx)
During assessment of authenticated page caching behavior
When evaluating path normalization differences between caching and origin layers
During bug bounty hunting on applications with aggressive caching policies
When testing for sensitive data exposure through cache layer misconfiguration

Prerequisites

Understanding of HTTP caching mechanisms (Cache-Control, Vary, Age headers)
Knowledge of CDN path normalization and cache key construction
Burp Suite for intercepting and crafting requests
Two browser sessions (authenticated victim and unauthenticated attacker)
Understanding of URL path parsing differences across technologies
Familiarity with common CDN platforms (Cloudflare, Akamai, Fastly, AWS CloudFront)

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

When to Use

When testing applications behind CDNs or reverse proxies (Cloudflare, Akamai, Varnish, Nginx)
During assessment of authenticated page caching behavior
When evaluating path normalization differences between caching and origin layers
During bug bounty hunting on applications with aggressive caching policies
When testing for sensitive data exposure through cache layer misconfiguration

Prerequisites

Understanding of HTTP caching mechanisms (Cache-Control, Vary, Age headers)
Knowledge of CDN path normalization and cache key construction
Burp Suite for intercepting and crafting requests
Two browser sessions (authenticated victim and unauthenticated attacker)
Understanding of URL path parsing differences across technologies
Familiarity with common CDN platforms (Cloudflare, Akamai, Fastly, AWS CloudFront)

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Concept	Description
Cache Deception	Tricking CDN into caching authenticated dynamic content as static resource
Path Normalization	How CDN and origin differently resolve path segments (../, ;, encoded chars)
Cache Key	The identifier CDN uses to store/retrieve cached responses (typically URL path)
Static Extension Trick	Appending .css/.js/.png to dynamic URLs to trigger caching behavior
Delimiter Discrepancy	Characters (;, ?, #) interpreted differently by cache vs. origin server
Cache Poisoning vs Deception	Poisoning modifies cache for all users; deception caches specific victim data
Vary Header	HTTP header controlling which request attributes affect cache key

Tool	Purpose
Burp Suite	HTTP proxy for crafting cache deception requests
curl	Command-line testing of cache behavior and response headers
Web Cache Vulnerability Scanner	Automated tool for detecting cache deception/poisoning
Param Miner	Burp extension for discovering unkeyed cache parameters
Cloudflare Diagnostics	Analyzing CF-Cache-Status and cf-ray headers
Varnish CLI	Direct cache inspection for Varnish-based setups

Performing Web Cache Deception Attack

When to Use

Prerequisites

Performing Web Cache Deception Attack

When to Use

Prerequisites

Workflow

Step 1 — Identify Caching Layer and Behavior

Step 2 — Test Path-Based Cache Deception

Step 3 — Exploit Delimiter-Based Discrepancies

Step 4 — Test Normalization Discrepancies

Step 5 — Exploit Cache Key Manipulation

Step 6 — Verify and Document the Attack

Key Concepts

Tools & Systems

Common Scenarios

Output Format

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security