What is cache poisoning?

Cache poisoning is when an attacker manipulates data stored by intermediate caches so that fraudulent or sensitive content is served to other users.

How can I detect Web Cache Deception?

Use the provided detection patterns and commands to review proxy cache rules, cache key construction, and Cache-Control headers, looking for extensions based caching, authenticated content caching, and missing Vary headers.

How do I mitigate cache related vulnerabilities?

Configure proper cache keys that exclude sensitive data, implement Vary headers for user specific responses, restrict caching of authenticated content, and enforce strict Cache-Control directives across proxies, CDNs, and servers.

Cache Poisoning

Scanned

npx machina-cli add skill allsmog/vuln-scout/cache-poisoning --openclaw

Files (1)

SKILL.md

11.8 KB

Cache Poisoning & Web Cache Deception

Purpose

Provide detection patterns for HTTP cache poisoning and web cache deception vulnerabilities, including proxy cache misconfigurations, cache key manipulation, and authenticated response caching.

OWASP 2025 Mapping

Category: Related to A01 (Broken Access Control), A05 (Security Misconfiguration)

CWEs:

CWE-524: Use of Cache Containing Sensitive Information
CWE-525: Use of Web Browser Cache Containing Sensitive Information
CWE-444: Inconsistent Interpretation of HTTP Requests
CWE-436: Interpretation Conflict

When to Use

Activate this skill when:

Reviewing proxy/CDN configurations (Nginx, Varnish, Cloudflare, etc.)
Analyzing SSRF vulnerabilities for exfiltration vectors
Auditing applications with static file caching
Looking for authenticated content exposure
Checking cache key construction for manipulation

Web Cache Deception

Overview

Web cache deception occurs when:

Proxy caches responses based on file extension (e.g., .png, .css)
Application serves dynamic content regardless of path extension
Attacker tricks victim into visiting /profile.png
Proxy caches authenticated response
Attacker retrieves cached sensitive data

Detection Patterns

Nginx Cache Configuration

# Find proxy cache configurations
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"

# Check cache rules for static extensions (HIGH RISK)
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg|woff)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"

# Cache key analysis - look for missing user identification
grep -rniE "proxy_cache_key" --include="*.conf"

# Caching authenticated responses (CRITICAL if no Vary header)
grep -rniE "proxy_cache_valid\s+200" --include="*.conf"

Varnish Cache Configuration

# VCL cache rules
grep -rniE "vcl_recv|vcl_hash|vcl_backend_response" --include="*.vcl"

# Static extension caching
grep -rniE "req\.url.*\.(css|js|png|jpg|jpeg|gif|ico)" --include="*.vcl"

# Cache TTL settings
grep -rniE "set beresp\.ttl|beresp\.grace" --include="*.vcl"

Apache/mod_cache

# mod_cache configuration
grep -rniE "CacheEnable|CacheRoot|CacheMaxExpire" --include="*.conf" --include=".htaccess"

# Cache for specific paths
grep -rniE "CacheEnable.*disk" --include="*.conf"

CDN/Cloud Configurations

# Cloudflare/AWS CloudFront
grep -rniE "cache.*control|edge.*cache|cdn.*cache|cloudfront|cloudflare" --include="*.json" --include="*.yaml" --include="*.yml"

# Cache-Control headers
grep -rniE "Cache-Control|max-age|s-maxage|public|private" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Cache Key Manipulation

Detection Patterns

# Host header in requests (potential cache key manipulation)
grep -rniE "Host.*header|getHeader.*Host|X-Forwarded-Host|X-Original-Host" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Query parameter handling
grep -rniE "query.*param|request\.query|getQueryString" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Cache key includes query string?
grep -rniE "proxy_cache_key.*query|CacheKeyQueryString" --include="*.conf" --include="*.vcl"

Cache Key Injection via Headers

# X-Forwarded-* headers that might be in cache key
grep -rniE "X-Forwarded-Host|X-Forwarded-Scheme|X-Forwarded-Proto" --include="*.conf" --include="*.go" --include="*.py"

# Unkeyed headers that affect response
grep -rniE "X-Original-URL|X-Rewrite-URL" --include="*.conf" --include="*.go" --include="*.py"

SSRF + Cache Poisoning Chain

Overview

When SSRF response is not directly returned to attacker:

Make SSRF request to /sensitive-endpoint.png
Proxy caches the response (thinks it's static)
Attacker requests same path
Gets cached sensitive data

Detection Patterns

# SSRF endpoints that make internal requests
grep -rniE "requests\.get|http\.Get|fetch\(|axios\.|urllib" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"

# User-controlled URLs in SSRF
grep -rniE "url.*=.*request|uri.*=.*request|callback.*=.*request" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"

# Check if proxy caches the response path
grep -rniE "proxy_cache|cache_valid" -B5 -A5 --include="*.conf"

Verification Checklist for SSRF + Cache

Can attacker control part of the request path?
Does proxy cache responses based on path/extension?
Can attacker add file extension to bypass cache rules?
Is there a timing window to retrieve cached response?

Path Extension Abuse

Overview

Many caches use file extension to determine cacheability:

/api/user/profile - NOT cached (dynamic)
/api/user/profile.png - CACHED (static file)

If the application ignores the extension and serves the same content, this enables cache deception.

Detection Patterns

# Flask/Django wildcard routes
grep -rniE "route.*<path:|path:subpath|<.*:.*>" --include="*.py"

# Express catch-all routes
grep -rniE "app\.get\('\*'|router\.get\('\*'|\.use\('\/'," --include="*.js" --include="*.ts"

# Nginx location blocks that proxy regardless of extension
grep -rniE "location\s+/|location\s+~" -A10 --include="*.conf" | grep -iE "proxy_pass"

# Check if routes handle extensions gracefully (ignore them)
grep -rniE "\.split\('\.\'\)|path\.extname|endswith|path.*extension" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"

Response Caching of Authenticated Content

Detection Patterns

# Missing Vary header (should include Authorization/Cookie)
grep -rniE "Vary.*header|add_header.*Vary" --include="*.conf" --include="*.go" --include="*.py"

# Cache-Control: private not set for authenticated endpoints
grep -rniE "@login_required|@jwt_required|isAuthenticated|requireAuth" -A20 --include="*.py" --include="*.go" --include="*.js" --include="*.ts" | grep -iE "cache|response"

# Session/Cookie in cached responses
grep -rniE "Set-Cookie.*Cache|Cache-Control.*Set-Cookie" --include="*.conf" --include="*.py" --include="*.go"

Proper Cache Headers for Authenticated Content

Cache-Control: private, no-store, must-revalidate
Vary: Authorization, Cookie

CDN-Specific Patterns

Cloudflare

# Page Rules caching
grep -rniE "page.*rules|cache.*level|cache.*everything" --include="*.json" --include="*.tf"

# Bypass cache
grep -rniE "bypass.*cache|cache\.bypass" --include="*.json"

AWS CloudFront

# Cache behaviors
grep -rniE "CacheBehavior|DefaultCacheBehavior|CachePolicyId" --include="*.json" --include="*.yaml" --include="*.tf"

# Origin request policy
grep -rniE "OriginRequestPolicy|ForwardedValues" --include="*.json" --include="*.yaml"

Fastly/Akamai

# VCL snippets
grep -rniE "snippet|vcl_recv|vcl_hash" --include="*.vcl" --include="*.json"

# Edge logic
grep -rniE "edge.*cache|surrogate.*key" --include="*.json" --include="*.yaml"

Framework-Specific Checks

Django

# Cache framework usage
grep -rniE "django\.core\.cache|@cache_page|CACHES\s*=" --include="*.py"

# Vary header decorator
grep -rniE "@vary_on_headers|@vary_on_cookie" --include="*.py"

Express/Node.js

# Express static middleware
grep -rniE "express\.static|serve-static|maxAge" --include="*.js" --include="*.ts"

# Cache headers in responses
grep -rniE "res\.set.*Cache|setHeader.*Cache" --include="*.js" --include="*.ts"

Spring Boot

# Cache annotations
grep -rniE "@Cacheable|@CacheEvict|@CachePut" --include="*.java"

# Spring Cache configuration
grep -rniE "spring\.cache|CacheManager|EhCache|Redis" --include="*.properties" --include="*.yaml"

Go

# HTTP caching libraries
grep -rniE "httpcache|groupcache|bigcache" --include="*.go"

# Cache-Control headers
grep -rniE "Cache-Control|w\.Header\(\)\.Set" --include="*.go"

Cross-Layer Analysis

Verification Steps

When analyzing cache vulnerabilities, check all layers:

Application Layer
- Does app handle path extensions?
- What data is in authenticated responses?
- Are Cache-Control headers set?
Proxy Layer (Nginx/HAProxy)
- What paths are cached?
- How is cache key constructed?
- What's the cache TTL?
CDN Layer (Cloudflare/CloudFront)
- Page rules / cache behaviors
- Origin cache settings
- Cache key configuration

Command to Check Full Stack

# Find all config files
find . -name "*.conf" -o -name "*.vcl" -o -name "nginx*" -o -name "*cloudfront*" -o -name "*cdn*" 2>/dev/null | head -20

# Check for cache configuration across all layers
grep -rniE "cache|proxy_cache|vcl_|CDN|cloudfront|cloudflare" --include="*.conf" --include="*.vcl" --include="*.json" --include="*.yaml" --include="*.tf"

Exploitation Checklist

When cache vulnerabilities are found:

Identify what content can be cached
Determine if authenticated responses are cacheable
Find a way to make victim visit poisoned URL
Check cache TTL to understand exploitation window
Verify cache key doesn't include session identifiers
Test path extension abuse (add .css, .png, .js)
Check for unkeyed headers that affect response

Example Attack Scenarios

Scenario 1: SSRF + Cache Deception (CDNio Pattern)

1. SSRF allows bot to visit internal URLs as admin
2. Nginx caches /*.png for 3 minutes
3. Make bot visit /profile.png (admin profile)
4. Request /profile.png → Get cached admin data

Scenario 2: Path Confusion

1. App serves /api/user regardless of extension
2. CDN caches /api/user.css (thinks it's static)
3. Attacker requests /api/user.css
4. Gets user profile from cache

Scenario 3: Host Header Poisoning

1. Cache key includes Host header
2. Inject X-Forwarded-Host: evil.com
3. Response contains evil.com URLs
4. Cache serves poisoned response to all users

Remediation

Nginx

# Don't cache authenticated responses
location ~* \.(css|js|png|jpg)$ {
    proxy_cache cache;
    proxy_cache_valid 200 3m;
    # Add this to prevent caching authenticated responses
    proxy_cache_bypass $http_authorization $cookie_session;
    proxy_no_cache $http_authorization $cookie_session;
}

Application

# Set proper cache headers for authenticated endpoints
@app.route('/profile')
@jwt_required
def profile():
    response = make_response(jsonify(user_data))
    response.headers['Cache-Control'] = 'private, no-store'
    response.headers['Vary'] = 'Authorization'
    return response

CDN

Include Authorization/Cookie in cache key
Use "Cache-Control: private" for authenticated content
Set appropriate cache behaviors per path pattern

CWE References

CWE	Name	Example
CWE-524	Sensitive Info in Cache	Authenticated data cached
CWE-525	Browser Cache Sensitive Info	Secrets in browser cache
CWE-444	HTTP Request Smuggling	Cache poisoning via smuggling
CWE-436	Interpretation Conflict	Path extension confusion

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/cache-poisoning/SKILL.mdView on GitHub

Overview

This skill provides detection patterns for HTTP cache poisoning and web cache deception, including proxy cache misconfigurations, cache key manipulation, and authenticated response caching. It maps to OWASP 2025 categories and common CWEs to help identify misconfigurations that expose sensitive data.

How This Skill Works

It collects practical detection patterns and commands to surface cache related vulnerabilities. It includes checks for nginx, varnish, apache configurations, CDN settings, and cache control headers to reveal cache key manipulation and authenticated content exposure.

When to Use It

Reviewing proxy/CDN configurations (Nginx, Varnish, Cloudflare, etc.)
Analyzing SSRF vulnerabilities for exfiltration vectors
Auditing applications with static file caching
Looking for authenticated content exposure
Checking cache key construction for manipulation

Quick Start

Step 1: Review proxy cache configurations and CDN rules for static extension caching and authentication handling
Step 2: Inspect cache key construction and headers to ensure sensitive data isn’t cached and that Vary is used where appropriate
Step 3: Run the detection commands and scans described in the skill to surface misconfigurations

Best Practices

Audit proxy_cache, cache_key, and related directives in nginx, Varnish, and CDN configurations
Ensure cache keys do not include sensitive user data and that dynamic content isn't cached unintentionally
Use Vary headers for authenticated or user-specific content to avoid sharing cached responses
Prefer explicit Cache-Control headers and appropriate TTLs for sensitive endpoints
Regularly scan for misconfigurations and verify detection rules against production traffic

Example Use Cases

Proxy caches authenticated responses due to a missing Vary header, exposing user data
Web cache deception where an attacker tricks a victim into visiting a path like /profile.png to retrieve cached sensitive data
Varnish VCL patterns involving vcl_recv and vcl_hash misconfigurations leading to inconsistent caching behavior
CDN caching dynamic content because Cache-Control headers are too permissive
Cache key injection via host header or query string resulting in leakage of cached content

Frequently Asked Questions

Add this skill to your agents