“Day 29: The Web Cache Deception Heist — How I Stole Private Data Without Breaking a Single…
文章描述了一种Web Cache Deception(WCD)攻击,通过在URL末尾添加.css等文件扩展名,欺骗系统将敏感数据缓存到公共缓存中,从而获取用户的财务数据。该漏洞利用了服务器与缓存层之间的通信问题,并成功获得了$4000的漏洞赏金。 2025-9-6 05:49:20 Author: infosecwriteups.com(查看原文) 阅读量:12 收藏

Exploiting a Flaw in How Servers and Caches Talk to Each Other

Aman Sharma

Welcome to Day 29 of our bug bounty exploration! Today’s vulnerability is one of the most elegant and subtle ones I’ve ever encountered. It doesn’t require bypassing authentication or injecting code. Instead, it exploits the misunderstood relationship between a server and its caching layer (like Varnish or Nginx). The target was a financial dashboard app. By simply adding .css to the end of a private URL, I tricked the system into saving a user's sensitive financial data in a public cache. Minutes later, I was able to retrieve that data, fully rendered, without needing to log in. This Web Cache Deception (WCD) attack earned a $4000 bounty.

free link

The Core Concept: How Caching Works (and Fails)

A reverse proxy cache (e.g., Varnish, Nginx, Cloudflare) sits in front of a web application. Its job is to save (cache) responses to certain requests to improve performance. It usually decides what to cache based on:

  • The file extension in the URL (e.g., .css, .js, .png).
  • The Cache-Control headers sent by the application…

文章来源: https://infosecwriteups.com/day-29-the-web-cache-deception-heist-how-i-stole-private-data-without-breaking-a-single-276b8667a4cf?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh