Web Cache Deception - exploitable without a cache server?

Is Web Cache Deception vulnerability exploitable if there is no cache server involved?

If we are not using a cache servers or a CDN to serve the application, then would the application still be vulnerable – say if the client’s network using the application has a caching server to serve its users?

Background: Our webapp scanner (Netsparker) has detected the Web Cache Deception vulnerability for an internal application and has marked the severity as Critical. Since there are no web cache servers between that webserver and its users, the inclination is to adjust the severity as medium or low.

Information Security Asked by Citylight on December 26, 2020

1 Answers

One Answer

Looks like it might be a false positive ? Can you reproduce the issue manually ?

Web Cache Poisoning can happen without a cache server or CDN since some application have an internal cache mechanism.

Drupal is often used with third party caches like Varnish, but it also contains an internal cache which is enabled by default.

Source: Practical Web Cache Poisoning

Answered by null on December 26, 2020

Add your own answers!

Related Questions

Nginx module security

1  Asked on November 21, 2021 by member2


Third party cookies – does secure, httponly matter?

1  Asked on November 21, 2021 by pang-ser-lark


Can input value escape a JSON object?

0  Asked on November 16, 2021


What is the Akamai Name Server I see for some big companies?

3  Asked on November 11, 2021 by hanan-n


What are ssh-keygen best practices?

4  Asked on November 11, 2021


How does openvpn work for only certain servers?

1  Asked on November 11, 2021 by relot


Ask a Question

Get help from others!

© 2022 All rights reserved.