Auto Web Cache Deception Tool

  • I Would like to share simple Web Cache Testing Script Which Could be useful for finding Web Cache Deception issue’s And broken authentication issue’s at Same time.

Usage : python webcache.py urls.txt

  • Tool WorkFlow:

url.txt should contain all Authenticated URL’s of Domain.

  1. Take’s one by one url from .txt file
  2. Take’s Authenticated Session Cookies of that domain.

To Enter the Cookies , you Need to Paste the cookies on Line 5 of Code. You can copy from chrome network tab And You may also need to enter Request header’s on Line 4 , Because Different Application’s have Different Functionalitie’s and csrf protection’s(Like Referer Based or Header)

(OR)

You can use https://curl.trillworks.com/ site to automatic generate cookies along with header . Just copy the CURL request and paste it and convert it to Python.

headers ={“Header Here”}

cookies = {“Paste Cookies Here”}

3. Then it Check’s the Authentication on url, If Not You will Get Redirect or 403 etc..

4. Tool use’s two extensions list , By Default it is only for short_extensions .If you want to use large_extensions list , you can rename the list.

short_extensions = [‘css’,’png’,’jpg’,’gif’,’txt’,’js’,’swf’,’bmp’]

large_extensions = [‘aif’,’aiff’,’css’,’au’,’avi’,’bin’,’bmp’,’cab’,’carb’,’cct’,’cdf’,’class’,’css’,’doc’,’ dcr’,’ dtd’,’ gcf’,’ gff’,’ gif’,’ grv’,’ hdml’,’ hqx’,’ ico’,’ ini’,’ jpeg’,’ jpg’,’ js’,’ mov’,’ mp3',’ nc’,’ pct’,’ ppc’,’ pws’,’ swa’,’ swf’,’ txt’,’ vbs’,’ w32',’ wav’,’ wbmp’,’ wml’,’ wmlc’,’ wmls’,’ wmlsc’,’ xsd’,’ zip’]

5. It will check if Content length of the url and Status code are equal to Content length of the url with extension’s with Status code , Nearby + 100 Extra Length Added . (To Avoid False Positive I Have kept the nearest to 100 Extra Content length for url’s request with extension’s) . You Can Set on your Application Behavior.

Security Analyst

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store