Hunting for Web Cache Deception Vulnerabilities with a Custom Bash Script

CyberJson — Wed, 21 May 2025 12:21:19 +0000

📖 Introduction

In the ever-evolving world of web application security, Web Cache Deception (WCD) remains an underrated but impactful vulnerability. Discovered by Omer Gil in 2017, this class of bugs can expose sensitive information by tricking caching mechanisms into storing and serving private data.

While many tools exist for automated scanning, they often lack customization, scalability, or OS-specific handling for bug bounty hunters and penetration testers. That’s why I built a multi-threaded, Bash-powered Web Cache Deception scanner under my personal toolkit banner — CyberJsonTools.

In this article, I’ll break down the script, explain how it works, and show you how to use it for effective cache deception testing on your targets.
⚡️ What Is Web Cache Deception?

A Web Cache Deception vulnerability occurs when a public cache stores private or user-specific content, usually because an attacker manipulates the URL or request headers in a way that bypasses cache exclusion rules. Once cached, this sensitive content might become accessible to other users or attackers.

Example Scenario:
A URL like https://target.com/profile is meant for authenticated users only. However, accessing https://target.com/profile.jpg might return a cached response due to the .jpg extension — potentially exposing private user data.
🛠️ Script Features

✅ Bash 4+ compatibility check with auto-install via Homebrew (on macOS)
✅ GNU parallel dependency check and installation
✅ Multi-threaded URL testing with customizable concurrency
✅ 45+ common file extensions and 45+ query parameters tested for cache deception behavior
✅ 40+ custom headers and header values sent with each request
✅ 20 top User-Agents for rotation in requests
✅ Detects Cache-Control: public and cache HIT responses via X-Cache or CF-Cache-Status headers
✅ Results logged to a clean, timestamped log file
📦 Dependencies

`Bash 4+
GNU parallel
curl`

The script auto-installs Bash and GNU parallel on macOS if missing.
📑 How It Works

1️⃣ Environment Setup
The script ensures the environment is suitable by verifying Bash version and GNU parallel installation.

2️⃣ URL and Payload Generation
It takes a list of base URLs and appends 45+ file extensions and 45+ parameters commonly used to trigger caching mechanisms.

3️⃣ Request Execution with Multi-threading
Each generated URL is tested concurrently using parallel with:

`Random User-Agent from a list of 20
Standard request
Requests with 45+ different HTTP headers and values`

4️⃣ Response Analysis
The response headers are checked for:

`Cache-Control: public
X-Cache: HIT
CF-Cache-Status: HIT`

If found, the endpoint is flagged as potentially vulnerable.

5️⃣ Reporting
Results are neatly logged to a file named cyberjson_wcd_results.log, including request headers, response headers, and vulnerability status.
🔥 How to Use It

1️⃣ Prepare a file with target base URLs:

https://target.com/ https://target.com/private/

2️⃣ Run the script:

bash cyberjson_web_cache_tester.sh < urls.txt

3️⃣ Review the results:

Check `cyberjson_wcd_results.log`
Look for [!!!] markers indicating vulnerabilities.

📊 Sample Log Output

[+] URL: https://target.com/private/profile.jpg
Cache-Control: public
X-Cache: HIT

[!!!] https://target.com/private/profile.jpg is VULNERABLE to Web Cache Deception!

🎯 Why Build This Tool?

I built this script to address limitations I found in existing WCD scanners:

Lack of header manipulation tests
No User-Agent rotation
Inability to run multi-threaded scans via Bash
Poor OS support detection, especially for macOS setups in bug bounty workflows

This tool can be a reliable companion for hunters on platforms like HackerOne, Bugcrowd, or Intigriti.
📌 Conclusion

Web Cache Deception vulnerabilities are easy to overlook but can lead to serious data leaks. With the CyberJsonTools Web Cache Deception scanner, you can efficiently test for these issues across multiple endpoints using a fast, multi-threaded Bash workflow.
📬 Get the Script

📖 Full code & updates: [GitHub Repository — CyberJsonP]
🖥️ Follow me on X (Twitter) for bug bounty tips and tools.
🔗 Related Resources

Original Web Cache Deception Research by Omer Gil
HackerOne — WCD Reports
Burp Suite Web Cache Deception Cheat Sheet

📣 Feedback & Collaboration

I’d love to hear your thoughts or ideas for improving this tool!
Feel free to reach out on X (Twitter) or comment on this post.

DEV Community: CyberJson

Hunting for Web Cache Deception Vulnerabilities with a Custom Bash Script