Web Cache Deception

Web cache deception may be possible when a web cache incorrectly caches dynamic content as static resources based solely on URL patterns or file extensions. This allows an unauthorized user to view sensitive data that was cached from another user’s session by crafting URLs that trick the cache into storing and serving private information.

Attackers exploit web cache deception by appending fake static file extensions to URLs containing sensitive data, causing intermediate caches to store responses intended for authenticated users. When the attacker later requests the same manipulated URL, the cache serves the previously stored sensitive content without requiring authentication. This technique can expose personal information, session tokens, account details, or any data that should remain private to individual users.

It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header.