From 5bc06fee7ca396cad066acbcd76bfb9c39cd11d1 Mon Sep 17 00:00:00 2001
From: 1Ping <52sunyiping@gmail.com>
Date: Fri, 4 Apr 2025 00:20:27 +0800
Subject: [PATCH] 2025-04-04 Add Detecting Web Cache Deception Content

---
 Web Cache Deception/README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md
index cbe46a32..a77538cf 100644
--- a/Web Cache Deception/README.md	
+++ b/Web Cache Deception/README.md	
@@ -90,6 +90,19 @@ The following URL format are a good starting point to check for "cache" feature.
 * `https://example.com/app/conversation/;.js`
 * `https://example.com/home.php/non-existent.css`
 
+## Detecting Web Cache Deception
+
+1. Detecting delimiter discrepancies: `/path/<dynamic-resource>;<static-resource>`
+   * For example: `/settings/profile;script.js`
+   * If the origin server uses `;` as a delimiter but the cache isn't
+   * The cache interprets the path as: `/settings/profile;script.js`
+   * The origin server interprets the path as: `/settings/profile`
+   * For more delimiter characters: see [Web cache deception lab delimiter list](https://portswigger.net/web-security/web-cache-deception/wcd-lab-delimiter-list)
+2. Detecting normalization: `/wcd/..%2fprofile`
+   * If the origin server resolved the path traversal sequence but the cache isn't
+   * The cache interprets the path as: `/wcd/..%2fprofile`
+   * The origin server interprets the path as: `/profile`
+
 ## CloudFlare Caching
 
 CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0.