mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-10 21:24:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
1.7 KiB
1.7 KiB
API Reference: Web Cache Deception Attack
Attack Technique
| Step | Action | Description |
|---|---|---|
| 1 | Identify authenticated endpoint | Find URL returning personalized content |
| 2 | Append static extension | /account/nonexistent.css |
| 3 | CDN caches response | Proxy treats as static file |
| 4 | Access cached URL unauthenticated | Receive victim's personalized data |
Static Extensions to Test
| Extension | Type | Cache Likelihood |
|---|---|---|
.css |
Stylesheet | Very High |
.js |
JavaScript | Very High |
.png, .jpg, .gif |
Image | High |
.woff, .woff2 |
Font | High |
.pdf |
Document | Medium |
.ico |
Icon | Medium |
Cache Detection Headers
| Header | Cached Indicators |
|---|---|
X-Cache |
HIT |
CF-Cache-Status |
HIT (Cloudflare) |
X-Cache-Status |
HIT (Nginx proxy_cache) |
Age |
Non-zero value |
X-Varnish |
Two IDs = cache hit |
Path Delimiter Confusion
| Delimiter | URL Example |
|---|---|
; |
/account;test.css |
%23 |
/account%23test.css |
%3f |
/account%3ftest.css |
Mitigation
| Control | Description |
|---|---|
Cache-Control: no-store |
Prevent caching of authenticated pages |
| Validate file extension | Only cache actual static files |
Vary: Cookie |
Separate cache by session |
Python Libraries
| Library | Version | Purpose |
|---|---|---|
requests |
>=2.28 | HTTP requests with/without auth |
References
- PortSwigger Web Cache Deception: https://portswigger.net/web-security/web-cache-deception
- Original Research (Omer Gil): https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html