What is Web Cache Deception (WCD) ?

Web Cache Deception is an attack that tricks a cache (like a CDN or reverse proxy) into storing and exposing private or dynamic content-simply by adding a static file-like extension (e.g., [.jpg], [.css]) to what’s actually a dynamic URL.
Example:
A user’s private feed normally lives at https://site.com/newsfeed.
But if someone induces the user to visit https://site.com/newsfeed/foo.jpg, the cache sees the [.jpg] and caches the response. Then, an attacker can fetch that cached URL and see the user’s private feed.

How Attackers Exploit It​

1. Flexible routing: Many frameworks treat /newsfeed/foo.jpg the same as /newsfeed.
2. Extension tricks caching: The [.jpg] convinces the cache to store it-even if it’s dynamic.
3. Takeover: The attacker can then access the cached content and see or leak sensitive data.

Real-World Example​

Cloudflare’s own blog uses this scenario:
The site dynamically serves /newsfeed behind the scenes.
Requesting /newsfeed/foo.jpg returns the same content-but with a [.jpg] suffix.
Cloudflare sees [.jpg] and caches it. The attacker later retrieves it.

🛠 Bypass & Detection​

Bypass: Attackers craft a URL like /private/data.jpg that routes to sensitive content. Once cached, everyone can access it.
Detecting: Watch for suspicious URLs ending in image/script extensions ([.jpg], [.css], [.js]) that return user-specific pages, and check cache headers like Age:, or missing Cache-Control: no-store.

🛡 How to Defend​

1. Strict routing​

Ensure your application does not treat /path/foo.extension the same as /path-reject or 404 unpredictable suffixes. Adding route anchors prevents this.

2. Correct headers​

For dynamic content, always send:
Cache-Control: private, no-store, no-cache
So caches and browsers won't store it.

3. Server/Proxy rules​

Implement rules at CDN or proxy (e.g., Cloudflare’s Cache Deception Armor) to verify that file extensions match their content types—preventing this type of deception.

4. Be cautious with "Cache Everything"​

Features like Cloudflare’s “Cache Everything” may override safeguards. Use them only when you’re certain content is static and safe to cache.

5. Vary and Cache Key Control​

Ensure headers like User-Agent, cookies, and others are properly managed—either blocked or explicitly included in the cache key (via Vary. This prevents cross-user cache leaks.

Summary Table​

Step What Happens Defense
1 /newsfeed/foo.jpg returns private content Reject invalid suffixes
2 Cache sees [.jpg] and caches it Add Cache-Control: private/no-store
3 Attacker fetches it Use proxy safeguards, match extensions & types

What is Web Cache Deception (WCD)?
It’s a sneaky attack that tricks CDNs or proxies into caching private content by adding fake “[.jpg]” or “[.css]” endings.
Why it matters:
An attacker could force your private data into public cache-just by tricking a user into clicking a deceptive link.
🛠 How to prevent it:
• Use strict routing-no flexible suffixes
• Add Cache-Control: private, no-store on dynamic pages
• Activate CDN defenses like Cloudflare’s Cache Deception Armor
• Don’t use “Cache Everything” without caution
Stay safe, configure wisely!