Skip to content

[ZAP Security] Web Cache Deception #422

Description

@github-actions

Web Cache Deception

Risk Level: Medium

Confidence: 2

Description

Web cache deception may be possible. It may be possible for unauthorised user to view sensitive data on this page.

Solution

It is strongly advised to refrain from classifying file types, such as images or stylesheets solely by their URL and file extension. Instead you should make sure that files are cached based on their Content-Type header.

Reference

https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/

https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/web-cache-deception/

CWE ID: 444

WASC ID: 0

Example Instance

URL: https://localhost:44392/contact/

Method: POST

Attack: /test.css,/test.jpg,/test.js,/test.html,/test.gif,/test.png,/test.svg,/test.php,/test.txt,/test.pdf,/test.asp,

Other Info: Cached Authorised Response and Unauthorised Response are similar.


This issue was automatically created from an OWASP ZAP security scan.
Alert detected on: 2025-12-06
Plugin ID: 40039

Scan Metadata

  • Branch: main
  • Template Source: NuGet.org
  • Clean Template Version: 7.0.1
  • Umbraco CMS Version: 17.0.0

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions