Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Web Cache Deception - Vulnerability Database

Web Cache Deception

Description

Web Cache Deception is a vulnerability that occurs when caching servers incorrectly cache dynamic, user-specific content as if it were static resources. This happens when cache servers classify content based solely on URL path extensions (like .css or .jpg) rather than actual Content-Type headers, combined with web servers that allow arbitrary path segments to be appended to existing routes. An attacker can exploit this by crafting URLs that append static file extensions to sensitive pages (e.g., /account/settings.php/style.css), tricking the cache into storing personalized content publicly. When a victim accesses this manipulated URL while authenticated, their sensitive data becomes cached and accessible to the attacker without authentication.

Remediation

To prevent Web Cache Deception attacks, implement the following security measures:

1. Configure cache servers to respect Content-Type headers:
Ensure your caching layer (CDN, reverse proxy, or cache server) determines cacheability based on the Content-Type response header rather than URL path extensions. Configure your cache to only cache responses with explicit static content types.

2. Enforce proper Cache-Control headers:
Configure your cache infrastructure to respect Cache-Control headers set by your application. For sensitive or user-specific pages, ensure the application sets appropriate headers:

Cache-Control: no-store, no-cache, must-revalidate, private
Pragma: no-cache
Expires: 0

3. Disable path info on dynamic resources:
Configure your web server to reject requests with extraneous path segments appended to dynamic files. For Apache with PHP:
# In .htaccess or Apache configuration
<FilesMatch "\.php$">
    AcceptPathInfo Off
</FilesMatch>
For Nginx:
# In nginx.conf
location ~ \.php$ {
    try_files $uri =404;
    # Reject if PATH_INFO is present
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    if ($fastcgi_path_info) {
        return 404;
    }
}

4. Implement strict cache policies:
Configure your CDN or cache server to never override application-level Cache-Control directives, especially for dynamic content. Whitelist specific static file paths rather than using extension-based rules.

5. Validate and sanitize URL paths:
Implement application-level checks to detect and reject requests with suspicious path patterns that don't match expected route structures.

References

Web Cache Deception Attack
Web Cache Deception

Related Vulnerabilities

XML external entity injection High
Common tags: Abuse Of Functionality Configuration
Oracle E-Business Suite Frame Injection (CVE-2017-3528) Medium
Common tags: Abuse Of Functionality Configuration
XML entity injection High
Common tags: Abuse Of Functionality Configuration
XML external entity injection and XML injection High
Common tags: Abuse Of Functionality Configuration
XML External Entity Injection via external file High
Common tags: Abuse Of Functionality Configuration

Severity

High

Classification

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality
Configuration