Web Cache Deception Attack worth 450$
Introduction
Okay, So I was simply playing around with some private programs on Bugcrowd with my friend Satyendra and we chose a Private Program to get our hands-on with this program. This web application was an e-commerce store based out of the United Arab Emirates.
We were testing for Authentication Bugs, Business Logic Errors, Injections, XSS, and other Vulnerabilities and suddenly I don't know what came into my mind and checked for this web cache deception attack. I learned this attack from one of the BlackHat Talks on youtube by Omer Gill.
How Attack works ?
The Web Cache Deception attack is generally when the Cache-Control directives are not configured properly and via this, an attacker may get leverage of stealing sensitive information from your Account.
Just assume a website say www. xyz.com and go to a page that holds sensitive information such as a profile, in that case, the application URL will look something like www.xyz.com/profile. Now when the user will request some static files/resources such as JPG, CSS, JS, etc the web-cache will consider the resource as it is the static one and will cache it into the server example “www.xyz.com/profile/abc.css”. This is where the exact Web Cache Deception Attack takes place.
Where Magic Happend
Now in my scenario, I created an account on the website and proceeded to my profile section where I placed a Non-Existent CSS file somewhat like this www.site.com/profile/nonexistent.css. So no such CSS file was present and hence should give a 404 error but I got nothing and simply my profile page opened again. What exactly went here? a simple nonexistent.css file gets cached into the directory of the server with the profile page of mine containing all the sensitive information.
Now I visited the same URL i.e www.site.com/profile.com/nonexistent.css via an unauthenticated session on a different browser. The URL gave me the same profile page of my Account with all the sensitive information that of my account.
Reported the issue where traiging and resolution took a month but was worth 450$. This report was first traiged into P2 but afterward, it was moved to P3. Anyway, it was a decent bounty for such a simple attack.