Web Cache Deception Attack revisited
Web Cache Deception attacks occur when an attacker tricks a user into clicking a link that leads to cached content of a private page. To prevent such attacks, proper configuration of websites is necessary, including returning the correct Cache-Control headers or rejecting requests with extra PATH_INFO. However, some customers may not be able to do this due to third-party software limitations. In response, Cloudflare has released a new tool called Cache Deception Armor Page Rule that helps protect against Web Cache Deception attacks by verifying the URL's extension matches the returned Content-Type. This solution allows static assets to be cached while still providing protection from potential attacks.
Company
Cloudflare
Date published
Jan. 19, 2018
Author(s)
Ka-Hing Cheung
Word count
460
Hacker News points
None found.
Language
English