Auto Web Cache Deception Tool
- I Would like to share simple Web Cache Testing Script Which Could be useful for finding Web Cache Deception issue’s And broken authentication issue’s at Same time.
pip install requests
Usage : python webcache.py urls.txt
- Tool WorkFlow:
url.txt should contain all Authenticated URL’s of Domain.
- Take’s one by one url from .txt file
- Take’s Authenticated Session Cookies of that domain.
To Enter the Cookies , you Need to Paste the cookies on Line 5 of Code. You can copy from chrome network tab And You may also need to enter Request header’s on Line 4 , Because Different Application’s have Different Functionalitie’s and csrf protection’s(Like Referer Based or Header)
(OR)
You can use https://curl.trillworks.com/ site to automatic generate cookies along with header . Just copy the CURL request and paste it and convert it to Python.
headers ={“Header Here”}
cookies = {“Paste Cookies Here”}
3. Then it Check’s the Authentication on url, If Not You will Get Redirect or 403 etc..
4. Tool use’s two extensions list , By Default it is only for short_extensions .If you want to use large_extensions list , you can rename the list.
short_extensions = [‘css’,’png’,’jpg’,’gif’,’txt’,’js’,’swf’,’bmp’]
large_extensions = [‘aif’,’aiff’,’css’,’au’,’avi’,’bin’,’bmp’,’cab’,’carb’,’cct’,’cdf’,’class’,’css’,’doc’,’ dcr’,’ dtd’,’ gcf’,’ gff’,’ gif’,’ grv’,’ hdml’,’ hqx’,’ ico’,’ ini’,’ jpeg’,’ jpg’,’ js’,’ mov’,’ mp3',’ nc’,’ pct’,’ ppc’,’ pws’,’ swa’,’ swf’,’ txt’,’ vbs’,’ w32',’ wav’,’ wbmp’,’ wml’,’ wmlc’,’ wmls’,’ wmlsc’,’ xsd’,’ zip’]
5. It will check if Content length of the url and Status code are equal to Content length of the url with extension’s with Status code , Nearby + 100 Extra Length Added . (To Avoid False Positive I Have kept the nearest to 100 Extra Content length for url’s request with extension’s) . You Can Set on your Application Behavior.