What is Web Cache Deception ? How it works with Example ?

In this article, we’ll explore what web cache deception is, how it works, and what you can do to protect yourself and your website from this increasingly common form of cyber attack. So buckle up and get ready to dive into the world of web cache deception.

What is Web Caching ?

Web caching is the process of temporarily storing web page resources, such as HTML, CSS, JavaScript, and images, on a local or network server to improve website performance and reduce network traffic.

When a user visits a website, their browser sends a request to the server to retrieve the web page resources. The server responds by sending the requested resources back to the browser, which then renders the web page. This process can be time-consuming, especially for websites with large files or high traffic volumes.

Web caching works by storing a copy of the web page resources on a local or network server, such as a Content Delivery Network (CDN) or a proxy server, so that subsequent requests for the same resources can be served more quickly. This reduces the amount of time it takes to load a web page, which can improve user experience and reduce network congestion.

Caching can be implemented in various ways, such as browser caching, which stores web page resources on the user’s local device, or server caching, which stores web page resources on a server between the user and the website’s server. Caching can also be configured to expire after a certain period of time or when the web page resources are updated, ensuring that users receive the most up-to-date version of the web page.

Web caching is a commonly used technique for improving website performance and reducing network traffic, and is often used in conjunction with other optimization techniques, such as content delivery networks, minification, and compression.

How does Web Caching Work ?

Web caching is the process of temporarily storing copies of web resources (such as HTML pages, images, videos, etc.) on a server closer to the end-user. This is done to improve website performance, reduce bandwidth usage, and minimize server load.

Here’s how web caching works:

1. A user requests a resource (such as a webpage) from a website.
2. The request is sent to the server that hosts the website.
3. The server checks its cache to see if it has a copy of the requested resource.
4. If the resource is in the cache, the server sends the cached copy to the user’s browser.
5. If the resource is not in the cache, the server retrieves it from its original source and sends it to the user’s browser, while also storing a copy in its cache for future requests.

There are several types of web caches, including browser caches and proxy caches. Browser caches store copies of resources on the user’s computer, while proxy caches store copies on a server located between the user and the website’s server.

Web caching is beneficial because it reduces the amount of data that needs to be transferred between the user’s browser and the website’s server, resulting in faster load times and reduced bandwidth usage. Additionally, it can help reduce server load and improve website scalability, as the server does not need to handle as many requests for the same resource.

What is Web Cache Deception ?

Web Cache Deception (WCD) is a type of attack that exploits vulnerabilities in caching mechanisms, such as Content Delivery Networks (CDNs) or proxy servers, to access sensitive information or perform unauthorized actions on a website.

The attack works by tricking the caching mechanism into caching a web page that contains sensitive user-specific data, such as login credentials or payment information, and then retrieving the cached page to access the sensitive information.

One way that WCD attacks can be executed is by manipulating the URL parameters of a website. By adding or modifying parameters in a URL, an attacker can create a new cache key and trick the caching mechanism into caching the sensitive data.

How Web Cache Deception Works – 

Lets take a look how a Web Cache Deception (WCD) attack works with an example:

Let’s say there’s an online shopping website that uses a Content Delivery Network (CDN) to cache its product pages. The product pages contain information about each item, such as the price, availability, and shipping details. The website also uses cookies to store user-specific information, such as the user’s shopping cart and payment information.

An attacker could perform a WCD attack on this website by crafting a malicious request that tricks the CDN into caching the sensitive user-specific data. Here’s how the attack might work:

1. The attacker visits the website and adds an item to their shopping cart. This action generates a cookie that contains information about the item and the user’s shopping cart.
2. The attacker then modifies the URL parameters to create a new URL that contains the user-specific data from the cookie. For example, the attacker might add the following parameters to the URL: “?product_id=123&user_id=456&cart_id=789”.
3. The attacker sends the modified URL to the website’s server. The server sees the modified URL as a new request and passes it to the CDN to cache the page.
4. The CDN caches the modified URL, which now includes the user-specific data in the cache key. This means that if any other user requests the same product page, they will see the attacker’s shopping cart and payment information instead of their own.
5. The attacker can then retrieve the cached page and access the user-specific data, such as the payment information, shipping address, and order details.

This type of attack can be very difficult to detect, as the attacker is not accessing the user’s data directly, but is instead tricking the caching mechanism into caching the sensitive data. To prevent this type of attack, websites should implement measures to prevent caching of sensitive user-specific data, such as using cache partitioning, cache encryption, or cache key validation. Additionally, website developers should be aware of the potential for WCD attacks and should incorporate appropriate security measures into their application design.

Example Code of Web Cache Deception – 

Here’s an example of vulnerable code that could lead to a web cache deception attack:

<?php

session_start();

if (isset($_SESSION['username'])) {

    $username = $_SESSION['username'];

} else {

    $username = "";

}

?>

<!DOCTYPE html>

<html>

<head>

    <title>Welcome</title>

</head>

<body>

    <h1>Welcome <?php echo $username; ?></h1>

    <p>This is a secure page</p>

</body>

</html>

This code is vulnerable because it uses session data to display user-specific information, but does not include proper cache control headers to prevent caching of the response. An attacker could send a request to the server with a modified URL, including a different session ID, and the server could respond with the cached response for the previous user’s session, revealing their sensitive information.

To prevent this vulnerability, the website should include proper cache control headers in its HTTP responses, such as setting the Cache-Control and Pragma headers to no-cache or no-store. Additionally, the website should validate cache keys to ensure that they correspond to the correct resources, and use cache partitioning to isolate user-specific data in a separate cache partition.

How to Prevent Web Cache Deception

Here are some general steps that can be taken to prevent web cache deception attacks:

1. Implement proper cache control: The website should include proper cache control headers in its HTTP responses to prevent caching of sensitive or user-specific data. This can be done by setting the Cache-Control and Pragma headers to no-cache or no-store.
2. Validate cache keys: The website should validate cache keys to ensure that they correspond to the correct resources. Cache keys can be manipulated by attackers to trick the caching mechanism into caching sensitive or unauthorized data. By validating cache keys, the website can prevent such attacks.
3. Use cache partitioning: Cache partitioning is a technique in which the website uses separate cache partitions for user-specific and public resources. By isolating user-specific data in a separate cache partition, the website can prevent unauthorized access to this data through the cache.
4. Implement secure session management: Websites that use sessions to store user-specific data should implement secure session management techniques, such as session expiration and secure session IDs, to prevent attackers from hijacking user sessions and accessing sensitive data.
5. Use HTTPS: Websites should use HTTPS to encrypt all communications between the client and server, including cached responses. This can prevent attackers from intercepting and modifying cached responses.
6. Perform security testing: Regular security testing, such as vulnerability assessments and penetration testing, can help identify and mitigate vulnerabilities in the website’s caching mechanism and prevent web cache deception attacks.

By implementing these steps, website developers and administrators can help prevent web cache deception attacks and protect sensitive data from unauthorized access.