Cache Deception + CSPT Turning Non Impactful Findings into A...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zere.es/posts/cache-deception-cspt-account-takeover/
• Blog Title: Cache Deception + CSPT: Turning Non Impactful Findings into Account Takeover
• Suggested Section: Pentesting Web > Web Cache Deception / Cache Poisoning (add a subsection: CSPT-assisted authenticated cache poisoning)

🎯 Content Summary

Overview

The post demonstrates a practical chain that turns two low-impact issues — Client-Side Path Traversal (CSPT) and Web Cache Deception — into full Account Takeover (ATO). The crux: use CSPT in the Single-Page App (SPA) to force an authenticated fetch (bearing a custom header) to a cacheable API path variant, causing the CDN to publicly cache sensitive token JSON. Anyone can then retrieve the victim’s token from the cache.

How the pieces work

🔧 Technical Details

CSPT to retarget authenticated fetches: When a front end concatenates user input into API paths and attaches auth headers, inject path traversal (e.g., ../../../target) so the browser normalizes the URL to an attacker-chosen endpoint on the same origin. The fetch will carry the victim’s credentials/headers.

Web Cache Deception via static extension: Append a static-looking suffix (e.g., .css) to a dynamic, sensitive endpoint. Some CDNs apply extension-based caching, returning identical JSON with Cache-Control: public, max-age=... and serving it without varying on auth headers. If the first response was made with victim credentials, subsequent unauthenticated requests retrieve the cached secret.

Chain for ATO: Use CSPT to send an authenticated request to the cacheable path variant and poison the CDN with the victim’s sensitive JSON. Then read back the same URL without authentication t...

🤖 Agent Actions

I analyzed the repository and found the best place to integrate the blog’s technique is in the “Pentesting Web > Cache Deception/Cache Poisoning” section, with an additional cross-reference in the “Client Side Path Traversal” page.

What I updated:

1. Added a new subsection in Cache Deception/Cache Poisoning

• File: src/pentesting-web/cache-deception/README.md
• New subsection: “CSPT-assisted authenticated cache poisoning (Account Takeover)”
• Content includes:
  • Concept and threat model
  • End-to-end exploit chain using CSPT to retarget an authenticated fetch to a cacheable static-suffixed path
  • Concrete HTTP examples (token endpoint .css suffix switching CDN to public cache)
  • Preconditions, validation checklist, impact
  • Mitigations across client, edge/CDN, and auth
• Also updated the “References” section to include:
  • The blog post
  • CSPT overview by Matan Berson
  • Maxence Schmitt CSPT talk
  • PortSwigger: Web Cache Deception

2. Extended the Client Side Path Traversal page to include the chaining pattern

• File: src/pentesting-web/client-side-path-traversal.md
• Added section: “CSPT-assisted web cache poisoning/deception”
  • Brief chaining explanation and a quick recipe for exploitation
  • Link to the Cache Deception page for full details
• Added a proper “References” section at the end with the blog link and relevant resources

Why these changes:

• The technique is a clean hybrid of CSPT and Cache Deception/Poisoning: CSPT is used to pivot an authenticated fetch to a static-looking cacheable path variant, causing the CDN to publicly cache sensitive JSON, leading to ATO. This is not already documented in the Cache Deception page, and the CSPT page lacked this exploitation angle.
• Maintaining HackTricks structure: I added the chain to the main Cache Deception/Poisoning page and cross-referenced it in the CSPT page, keeping everything cohesive and discoverable.

References added (in the files):

• https://zere.es/posts/cache-deception-cspt-account-takeover/
• https://matanber.com/blog/cspt-levels/
• https://www.youtube.com/watch?v=O1ZN_OCfNzg
• https://portswigger.net/web-security/web-cache-deception

No new files were created; I updated existing pages in the most relevant sections to keep related content consolidated.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 876
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zere.es/posts/cache-deception-cspt-account-takeover/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web > Web Cache Deception / Cache Poisoning (add a subsection: CSPT-assisted authenticated cache poisoning)".

Repository Maintenance:

• MD Files Formatting: 876 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0