Full Report
The author was reviewing a website when they found two separate issues: a cache decption issue and a client-side path traversal (CSPT) bug. Separately, they were useless. Together, they created an account takeover. Web cache deception is getting data to be cached that shouldn't be cached via crafted links. While reviewing the application, they appended .css to an endpoint that returned an authentication token. Unfortunately, this API had to include the X-Auth-Token header, which wouldn't be automatically added to the request. This is issue number 1. They were reviewing client-side code and noticed that a URL parameter was being included directly into part of a path to make an API request. Using a malicious API parameter, the ../ can be used to make the client-side execute an arbitrary API call that is authenticated. They weren't able to do anything useful with this by itself. Now, let's combine the bugs! Use the CSPT to make an authenticated API request with .css at the end of it. This would cache the API token! The exploit is just the user clicking on the following link: https://example.com/user?id=../../../v1/token.css. This is a super neat chain of bugs. CSPT and web cache deception have always felt like black magic to me.
Analysis Summary
# Vulnerability: Account Takeover via CSPT and Web Cache Deception Chain
## CVE Details
- **CVE ID:** Not assigned (Identified via private Bug Bounty program)
- **CVSS Score:** 8.8 (High) - Estimated: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
- **CWE:** CWE-20 (Improper Input Validation), CWE-524 (Use of Cache-control Directive Allowing Caching of Sensitive Information)
## Affected Systems
- **Products:** Proprietary web application (example.com / api.example.com)
- **Versions:** All versions prior to the August 2025 disclosure
- **Configurations:** Systems where the CDN/Cache layer is configured to cache files based on file extensions (e.g., .css) regardless of the `Content-Type` header or `Cache-Control` settings for API endpoints.
## Vulnerability Description
This vulnerability is an exploit chain consisting of two primary flaws:
1. **Client-Side Path Traversal (CSPT):** The application's frontend JavaScript takes a `userId` URL parameter and concatenates it into a `fetch()` request to an API. Lack of input validation allows an attacker to use `../` sequences to redirect the authenticated API call to an arbitrary endpoint.
2. **Web Cache Deception:** The API endpoint `/v1/token` returns sensitive session tokens. While it normally uses `no-cache` directives, appending `.css` to the URL triggers the CDN to overwrite these directives and cache the response publicly for 24 hours.
**The Chain:** The CSPT is used to force the victim's browser to make an **authenticated** request (including the required `X-Auth-Token` header) to the `/v1/token.css` endpoint. This results in the victim's private token being stored on the public CDN, accessible to the attacker.
## Exploitation
- **Status:** PoC available; identified in a private bug bounty program.
- **Complexity:** Medium (Requires knowledge of API structure and CDN caching rules).
- **Attack Vector:** Network (Remote). Requires a victim to click a malicious link.
## Impact
- **Confidentiality:** High (Full access to session tokens and sensitive user data).
- **Integrity:** High (Ability to perform actions as the victim user/Account Takeover).
- **Availability:** High (Potential to lock out users or delete accounts).
## Remediation
### Patches
- **Input Validation:** Sanitize all URL parameters used in client-side requests to prevent path traversal (e.g., stripping `../` or using an allowlist).
- **Cache Configuration:** Configure the CDN/Web Cache to prioritize `Cache-Control` headers from the origin server over file extensions.
### Workarounds
- **Header Restriction:** Implement `Origin` checks on the API to ensure requests are coming from trusted frontend sources.
- **Vary Header:** Use the `Vary: Authorization` or `Vary: X-Auth-Token` header to ensure different users do not receive cached content intended for others.
## Detection
- **Indicators of Compromise:** Unusual requests to API endpoints with mismatched extensions (e.g., `/v1/token.css`).
- **Detection methods:** Monitor CDN logs for `X-Cache: Hit` on sensitive API endpoints. Use automated scanners to test for "Path Overwrite" or "CSPT" vulnerabilities in client-side JavaScript.
## References
- hxxps[://]zere[.]es/posts/cache-deception-cspt-account-takeover/
- hxxps[://]portswigger[.]net/web-security/web-cache-deception
- hxxps[://]matanber[.]com/blog/cspt-levels/