Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 08:54:40 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #774 from 1PingSun/master

Browse source 
2025-04-04 Add Detecting Web Cache Deception Content
This commit is contained in:
Swissky 2025-08-13 16:04:43 +02:00 committed by GitHub
commit 0c5b7c3953
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Web Cache Deception/README.md
View file

@ -90,6 +90,19 @@ The following URL format are a good starting point to check for "cache" feature.
* `https://example.com/app/conversation/;.js`
* `https://example.com/home.php/non-existent.css`
## Detecting Web Cache Deception
1. Detecting delimiter discrepancies: `/path/<dynamic-resource>;<static-resource>`
* For example: `/settings/profile;script.js`
* If the origin server uses `;` as a delimiter but the cache isn't
* The cache interprets the path as: `/settings/profile;script.js`
* The origin server interprets the path as: `/settings/profile`
* For more delimiter characters: see [Web cache deception lab delimiter list](https://portswigger.net/web-security/web-cache-deception/wcd-lab-delimiter-list)
2. Detecting normalization: `/wcd/..%2fprofile`
* If the origin server resolved the path traversal sequence but the cache isn't
* The cache interprets the path as: `/wcd/..%2fprofile`
* The origin server interprets the path as: `/profile`
## CloudFlare Caching
CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0.