Web Cache Deception

What Is Web Cache Deception?

Web Cache Deception is different from Cache Poisoning. Instead of injecting malicious content into the cache, the attacker tricks the cache into storing a personalised (authenticated) response as if it were a static resource. Any subsequent visitor — including the attacker — receives the victim's private page.

How It Works

1. The attacker crafts a URL: https://target.com/account/evil.css
2. The server ignores the .css extension and returns the real /account page (with the victim's personal data)
3. The CDN sees the .css extension and caches the response as a static asset
4. The attacker requests the same URL and receives the victim's cached account page

GET /account/nonexistent.css HTTP/1.1
Host: target.com
Cookie: session=victim_token

Response (gets cached by CDN):

<h1>Welcome, Alice</h1>
<p>Email: alice@example.com</p>
<p>Balance: $4,200</p>

Now anyone requesting /account/nonexistent.css sees Alice's data.

Real-World Impact

• Mass data leakage — every user who clicks a crafted link has their page cached
• Account takeover — cached pages may contain session tokens or CSRF tokens
• Financial data exposure — banking dashboards, payment info, order history
• GDPR violations — personal data served to unauthorized parties

How to Fix

Return 404 for unexpected path extensions:

location ~* \.(css|js|png|jpg|svg|woff2)$ {
    try_files $uri =404;
}

Set Cache-Control: no-store, private on all authenticated pages.

Configure CDN to only cache responses with explicit cacheable headers.

What VibeWShield Detects

VibeWShield's Cache Deception scanner only tests public pages (/about, /pricing, /) — never personal pages. It appends static extensions (.css, .js) and checks if the server returns the real page instead of 404. A clean verification request without cookies confirms whether the response was cached.