Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From vuln-scout
Detects HTTP cache poisoning and web cache deception vulnerabilities via config grep patterns for Nginx, Varnish, Apache mod_cache, and CDNs during pentests.
npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestHow this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:cache-poisoningThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
---
Exploits path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content. Useful for bug bounty hunting and security assessments of applications behind CDNs.
Executes web cache deception attacks exploiting path normalization discrepancies in CDNs like Cloudflare to cache sensitive authenticated content. For pentesting cached web apps.
Executes web cache deception attacks by exploiting path normalization differences between CDNs and origin servers to cache sensitive authenticated content. Useful for security testing apps behind Cloudflare or Nginx.
Share bugs, ideas, or general feedback.
Provide detection patterns for HTTP cache poisoning and web cache deception vulnerabilities, including proxy cache misconfigurations, cache key manipulation, and authenticated response caching.
Category: Related to A01 (Broken Access Control), A05 (Security Misconfiguration)
CWEs:
Activate this skill when:
Web cache deception occurs when:
.png, .css)/profile.png# Find proxy cache configurations
grep -rniE "proxy_cache|proxy_cache_valid|proxy_cache_key" --include="*.conf" --include="nginx.conf"
# Check cache rules for static extensions (HIGH RISK)
grep -rniE "location.*\.(css|js|png|jpg|jpeg|gif|ico|svg|woff)" -A10 --include="*.conf" | grep -iE "proxy_cache|cache"
# Cache key analysis - look for missing user identification
grep -rniE "proxy_cache_key" --include="*.conf"
# Caching authenticated responses (CRITICAL if no Vary header)
grep -rniE "proxy_cache_valid\s+200" --include="*.conf"
# VCL cache rules
grep -rniE "vcl_recv|vcl_hash|vcl_backend_response" --include="*.vcl"
# Static extension caching
grep -rniE "req\.url.*\.(css|js|png|jpg|jpeg|gif|ico)" --include="*.vcl"
# Cache TTL settings
grep -rniE "set beresp\.ttl|beresp\.grace" --include="*.vcl"
# mod_cache configuration
grep -rniE "CacheEnable|CacheRoot|CacheMaxExpire" --include="*.conf" --include=".htaccess"
# Cache for specific paths
grep -rniE "CacheEnable.*disk" --include="*.conf"
# Cloudflare/AWS CloudFront
grep -rniE "cache.*control|edge.*cache|cdn.*cache|cloudfront|cloudflare" --include="*.json" --include="*.yaml" --include="*.yml"
# Cache-Control headers
grep -rniE "Cache-Control|max-age|s-maxage|public|private" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Host header in requests (potential cache key manipulation)
grep -rniE "Host.*header|getHeader.*Host|X-Forwarded-Host|X-Original-Host" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Query parameter handling
grep -rniE "query.*param|request\.query|getQueryString" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Cache key includes query string?
grep -rniE "proxy_cache_key.*query|CacheKeyQueryString" --include="*.conf" --include="*.vcl"
# X-Forwarded-* headers that might be in cache key
grep -rniE "X-Forwarded-Host|X-Forwarded-Scheme|X-Forwarded-Proto" --include="*.conf" --include="*.go" --include="*.py"
# Unkeyed headers that affect response
grep -rniE "X-Original-URL|X-Rewrite-URL" --include="*.conf" --include="*.go" --include="*.py"
When SSRF response is not directly returned to attacker:
/sensitive-endpoint.png# SSRF endpoints that make internal requests
grep -rniE "requests\.get|http\.Get|fetch\(|axios\.|urllib" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"
# User-controlled URLs in SSRF
grep -rniE "url.*=.*request|uri.*=.*request|callback.*=.*request" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"
# Check if proxy caches the response path
grep -rniE "proxy_cache|cache_valid" -B5 -A5 --include="*.conf"
Many caches use file extension to determine cacheability:
/api/user/profile - NOT cached (dynamic)/api/user/profile.png - CACHED (static file)If the application ignores the extension and serves the same content, this enables cache deception.
# Flask/Django wildcard routes
grep -rniE "route.*<path:|path:subpath|<.*:.*>" --include="*.py"
# Express catch-all routes
grep -rniE "app\.get\('\*'|router\.get\('\*'|\.use\('\/'," --include="*.js" --include="*.ts"
# Nginx location blocks that proxy regardless of extension
grep -rniE "location\s+/|location\s+~" -A10 --include="*.conf" | grep -iE "proxy_pass"
# Check if routes handle extensions gracefully (ignore them)
grep -rniE "\.split\('\.\'\)|path\.extname|endswith|path.*extension" --include="*.py" --include="*.go" --include="*.js" --include="*.ts"
# Missing Vary header (should include Authorization/Cookie)
grep -rniE "Vary.*header|add_header.*Vary" --include="*.conf" --include="*.go" --include="*.py"
# Cache-Control: private not set for authenticated endpoints
grep -rniE "@login_required|@jwt_required|isAuthenticated|requireAuth" -A20 --include="*.py" --include="*.go" --include="*.js" --include="*.ts" | grep -iE "cache|response"
# Session/Cookie in cached responses
grep -rniE "Set-Cookie.*Cache|Cache-Control.*Set-Cookie" --include="*.conf" --include="*.py" --include="*.go"
Cache-Control: private, no-store, must-revalidate
Vary: Authorization, Cookie
# Page Rules caching
grep -rniE "page.*rules|cache.*level|cache.*everything" --include="*.json" --include="*.tf"
# Bypass cache
grep -rniE "bypass.*cache|cache\.bypass" --include="*.json"
# Cache behaviors
grep -rniE "CacheBehavior|DefaultCacheBehavior|CachePolicyId" --include="*.json" --include="*.yaml" --include="*.tf"
# Origin request policy
grep -rniE "OriginRequestPolicy|ForwardedValues" --include="*.json" --include="*.yaml"
# VCL snippets
grep -rniE "snippet|vcl_recv|vcl_hash" --include="*.vcl" --include="*.json"
# Edge logic
grep -rniE "edge.*cache|surrogate.*key" --include="*.json" --include="*.yaml"
# Cache framework usage
grep -rniE "django\.core\.cache|@cache_page|CACHES\s*=" --include="*.py"
# Vary header decorator
grep -rniE "@vary_on_headers|@vary_on_cookie" --include="*.py"
# Express static middleware
grep -rniE "express\.static|serve-static|maxAge" --include="*.js" --include="*.ts"
# Cache headers in responses
grep -rniE "res\.set.*Cache|setHeader.*Cache" --include="*.js" --include="*.ts"
# Cache annotations
grep -rniE "@Cacheable|@CacheEvict|@CachePut" --include="*.java"
# Spring Cache configuration
grep -rniE "spring\.cache|CacheManager|EhCache|Redis" --include="*.properties" --include="*.yaml"
# HTTP caching libraries
grep -rniE "httpcache|groupcache|bigcache" --include="*.go"
# Cache-Control headers
grep -rniE "Cache-Control|w\.Header\(\)\.Set" --include="*.go"
When analyzing cache vulnerabilities, check all layers:
Application Layer
Proxy Layer (Nginx/HAProxy)
CDN Layer (Cloudflare/CloudFront)
# Find all config files
find . -name "*.conf" -o -name "*.vcl" -o -name "nginx*" -o -name "*cloudfront*" -o -name "*cdn*" 2>/dev/null | head -20
# Check for cache configuration across all layers
grep -rniE "cache|proxy_cache|vcl_|CDN|cloudfront|cloudflare" --include="*.conf" --include="*.vcl" --include="*.json" --include="*.yaml" --include="*.tf"
When cache vulnerabilities are found:
.css, .png, .js)1. SSRF allows bot to visit internal URLs as admin
2. Nginx caches /*.png for 3 minutes
3. Make bot visit /profile.png (admin profile)
4. Request /profile.png → Get cached admin data
1. App serves /api/user regardless of extension
2. CDN caches /api/user.css (thinks it's static)
3. Attacker requests /api/user.css
4. Gets user profile from cache
1. Cache key includes Host header
2. Inject X-Forwarded-Host: evil.com
3. Response contains evil.com URLs
4. Cache serves poisoned response to all users
# Don't cache authenticated responses
location ~* \.(css|js|png|jpg)$ {
proxy_cache cache;
proxy_cache_valid 200 3m;
# Add this to prevent caching authenticated responses
proxy_cache_bypass $http_authorization $cookie_session;
proxy_no_cache $http_authorization $cookie_session;
}
# Set proper cache headers for authenticated endpoints
@app.route('/profile')
@jwt_required
def profile():
response = make_response(jsonify(user_data))
response.headers['Cache-Control'] = 'private, no-store'
response.headers['Vary'] = 'Authorization'
return response
| CWE | Name | Example |
|---|---|---|
| CWE-524 | Sensitive Info in Cache | Authenticated data cached |
| CWE-525 | Browser Cache Sensitive Info | Secrets in browser cache |
| CWE-444 | HTTP Request Smuggling | Cache poisoning via smuggling |
| CWE-436 | Interpretation Conflict | Path extension confusion |