Web Cache Deception Attack

When will it happen?

So basically, two conditions are required for this vulnerability to exist:

  • Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header.
  • When accessing a page like http://www.example.com/home.php/non-existent.css, the web server will return the content of "home.php" for that URL.

Mitigation

  1. Configure the cache mechanism to cache files only if their HTTP caching headers allow. That will solve the root cause of this issue.
  2. If the cache component provides the option, configure it to cache files by their content type.
  3. Configure the web server so that for pages such as http://www.example.com/home.php/non-existent.css, the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response.

Ref

Omer Gil: Web Cache Deception Attack