tricks a caching server into storing sensitive or private content. The attacker can then access this cached content, gaining unauthorized access to private information that was meant only for the original user.

How it works?

The attacker sends a URL that seems to request static content, causing the cache to store sensitive data. The attacker later retrieves the cached content.

Web Cache Deception vs. Web Cache Poisoning

• Web Cache Deception:
  • Goal: Trick the cache into storing sensitive data.
  • Impact: Attacker gains unauthorized access to private content meant for a specific user.
• Web Cache Poisoning:
  • Goal: Manipulate cache keys to store malicious content that will be served to other users.
  • Impact: Attacker injects harmful or misleading content into the cache, affecting all users who request it.

Web Cache

sits between the origin server and the user. When a static resource is requested, the cache checks if it has a stored copy. If not (cache miss), the request goes to the origin server, which processes and responds. The cache may store this response based on predefined rules.

For future requests of the same resource, the cache serves the stored copy directly (cache hit), bypassing the origin server.

Cache Keys

when cache gets a HTTP request, it has to decide whether to serve from cache or origin. This is done through by a ‘cache key’. cache makes this key using various different elements, like URL, query param or elements such as headers or content type or etc.

If the request that came, has the cache key as same as the previous request’s then cache serves a copy of the cached response. If not then it serves responses from origin