Web Cache Deception - exploitable without a cache server?

Information Security Asked by Citylight on December 26, 2020

Is Web Cache Deception vulnerability exploitable if there is no cache server involved?

If we are not using a cache servers or a CDN to serve the application, then would the application still be vulnerable – say if the client’s network using the application has a caching server to serve its users?

Background: Our webapp scanner (Netsparker) has detected the Web Cache Deception vulnerability for an internal application and has marked the severity as Critical. Since there are no web cache servers between that webserver and its users, the inclination is to adjust the severity as medium or low.

One Answer

Looks like it might be a false positive ? Can you reproduce the issue manually ?

Web Cache Poisoning can happen without a cache server or CDN since some application have an internal cache mechanism.

Drupal is often used with third party caches like Varnish, but it also contains an internal cache which is enabled by default.

Source: Practical Web Cache Poisoning

Answered by null on December 26, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP