/plushcap/analysis/cloudflare/understanding-our-cache-and-the-web-cache-deception-attack

Understanding Our Cache and the Web Cache Deception Attack

What's this blog post about?

Security researcher Omer Gil has identified a new type of attack called the Web Cache Deception attack, which targets websites using reverse proxies like Cloudflare and are misconfigured in a particular way. The attack involves tricking users into visiting malicious URLs that appear legitimate but can be cached by the reverse proxy, exposing sensitive content. To defend against this attack, website owners should ensure their site isn't so permissive and never treats requests to nonexistent paths as equivalent to valid parent paths. Cloudflare has outlined its cache logic in two phases: eligibility and disqualification, with specific rules for each phase that determine whether a request is cached or not.

Company
Cloudflare

Date published
April 14, 2017

Author(s)
Joshua Liebow-Feeser

Word count
1617

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.