Web Cache Deception
Risk Level: Medium
Confidence: 2
Description
Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.
Solution
It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header.
Reference
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/web-cache-deception/
CWE ID: 444
WASC ID: 0
Example Instance
URL: https://localhost:44392/contact/
Method: POST
Attack: /test.css,/test.jpg,/test.js,/test.html,/test.gif,/test.png,/test.svg,/test.php,/test.txt,/test.pdf,/test.asp,
Other Info: Cached Authorised Response and Unauthorised Response are similar.
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-06
Plugin ID: 40039
Scan Metadata
- Branch:
main
- Template Source: NuGet.org
- Clean Template Version: 7.0.1
- Umbraco CMS Version: 17.0.0
Web Cache Deception
Risk Level: Medium
Confidence: 2
Description
Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.
Solution
It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header.
Reference
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/web-cache-deception/
CWE ID: 444
WASC ID: 0
Example Instance
URL:
https://localhost:44392/contact/Method: POST
Attack:
/test.css,/test.jpg,/test.js,/test.html,/test.gif,/test.png,/test.svg,/test.php,/test.txt,/test.pdf,/test.asp,Other Info: Cached Authorised Response and Unauthorised Response are similar.
This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-06
Plugin ID: 40039
Scan Metadata
main