Cache Deception (#453)

* Cache Deception

ADD:
Varies: Server Security Misconfiguration - Cache Deception

* Update remediation_advice.json

---------

Co-authored-by: Abhinav Nain <[email protected]>

Author: TimmyBugcrowd

mappings/cvss_v3/cvss_v3.json

@@ -1066,6 +1066,10 @@
           "id": "cache_poisoning",
           "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
         },
+        {
+          "id": "cache_deception",
+          "cvss_v3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+        },
         {
           "id": "captcha",
           "children": [

mappings/remediation_advice/remediation_advice.json

@@ -1351,6 +1351,13 @@
             "https://portswigger.net/blog/practical-web-cache-poisoning"
           ]
         },
+        {
+          "id": "cache_deception",
+          "remediation_advice": "The most effective way to prevent cache deception is to carefully control which responses are cached and to avoid caching responses that contain user-specific or sensitive data.\n\nEnsure that authentication-protected pages and any responses containing sensitive information explicitly disable caching via headers such as `Cache-Control: no-store, no-cache, must-revalidate` and `Pragma: no-cache`.\n\nBe particularly cautious with URL structures. Cache deception attacks often rely on tricking the cache into treating dynamic responses as static. A simple mitigation is to ensure that URLs ending in extensions like `.css`, `.js`, `.png`, etc., only serve static content and do not process dynamic requests.\n\nFor additional protection, configure your cache layer to only cache responses from a predefined allowlist of safe URL patterns. This prevents attackers from injecting deceptive paths that lead to cached sensitive data.\n\nAuditing your cache behavior using tools like Param Miner or manual testing can help identify and eliminate unintended caching of sensitive responses. Additionally, security headers such as `X-Content-Type-Options: nosniff` can help prevent certain forms of cache-related attacks.\n\nFinally, if your application uses a CDN or a reverse proxy (e.g., Cloudflare, Akamai, Varnish), ensure that caching rules are correctly configured to prevent caching of personalized or user-specific content.",
+          "references": [
+            "https://portswigger.net/web-security/web-cache-deception"
+          ]
+        },
         {
           "id": "captcha",
           "children": [

third-party-mappings/remediation_training/secure-code-warrior-links.json

@@ -334,6 +334,7 @@
   "server_security_misconfiguration": null,
   "server_security_misconfiguration.bitsquatting": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:bitsquatting&redirect=true",
   "server_security_misconfiguration.cache_poisoning": null,
+  "server_security_misconfiguration.cache_deception": null,
   "server_security_misconfiguration.captcha": null,
   "server_security_misconfiguration.captcha.brute_force": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:captcha:brute_force&redirect=true",
   "server_security_misconfiguration.captcha.implementation_vulnerability": "https://integration-api.securecodewarrior.com/api/v1/trial?id=bugcrowd&mappingList=vrt&mappingKey=server_security_misconfiguration:captcha:implementation_vulnerability&redirect=true",

vulnerability-rating-taxonomy.json

@@ -2097,6 +2097,12 @@
           "type": "subcategory",
           "priority": null
         },
+        {
+          "id": "cache_deception",
+          "name": "Cache Deception",
+          "type": "subcategory",
+          "priority": null
+        },
         {
           "id": "captcha",
           "name": "CAPTCHA",