Post

MISSing Cache

Posted
Preview Image
By Alex 2 min read

Bypassing a Web Server’s Cache: Common Techniques

During my development of monitors for e-commerce and retail websites, it was always essential to make the software as fast as possible. A very common way to obtain server’s response before anyone else is by bypassing cache and getting a sweet MISS from a server. Below are some common techniques I used to bypass web server’s cache and obtain origin server’s content directly.

1. Query String Manipulation

Web servers often use the Uniform Resource Locator (URL) and its query string parameters to identify unique resources. By manipulating these parameters, an attacker can trick the server into treating each request as a new resource, effectively bypassing the cache. Here are a few examples:

1
2

https://www.example.com/page?param=value1
https://www.example.com/page?param=value2

In this scenario, the server might cache the response for the first URL, but if an attacker modifies the parameter’s value, it becomes a unique request, bypassing the cache.

2. URL Capitalization

URLs are case-insensitive, but web servers may treat URLs with different capitalization as distinct resources. An attacker can take advantage of this by accessing the same resource with different capitalization, effectively bypassing the cache. For example:

1
2

HIT : https://www.example.com/page 
MISS: https://www.example.com/pAge

In this case, even though the resource is the same, the server treats each request as unique due to the differing cookie values.

3. HTTP Method Manipulation

HTTP methods, such as GET, POST, PATCH, PUT, DELETE, and others, define the purpose of a request and how the server should handle it. Trying different HTTP methods manipulation can be an effective way to bypass a web server’s cache, a common way I had success with is by utilizing the POST request method.

Web servers typically treat POST requests differently from GET requests. While GET requests are often cached to improve performance, POST requests are usually not cached. This is because POST requests typically involve sending data to the server, which may result in state changes or modifications on the server side.

Other methods such as PATCH or PUT could also lead for a server’s cache to be bypassed.

4. Extra: Appending 0’s to Product Identifiers

Many e-commerce websites display their products using numerical product identifiers such as: https://example.com/pid/19035.html

On some of these websites I have found that appending 0’s before the PID (Product Identifier) yields in the server’s cache treating the URL differently and thus bypassing it.

1
2
3

https://example.com/pid/000019035.html
https://example.com/pid/019035.html
https://example.com/pid/00000019035.html
misconfigurations
cache techniques server bypass
This post is licensed under CC BY 4.0 by the author.