Hello everyone, I’m Nitin Yadav. Back again with another practical blog.
This time we’re talking about Cache Deception – a bug class that looks simple, but when it works, it can leak private user data across users.
No fluff. No theory dump.
I’ll explain what it is, why it matters, and how to think about it as a bug hunter. We’ll go step by step, one topic at a time.
Press enter or click to view image in full size
What is Cache Deception?
Cache Deception happens when a caching layer (CDN / reverse proxy) is tricked into caching sensitive, user-specific responses and then serving them to other users.
Normally:
- Static files (
.css,.js,.jpg) → cached - Dynamic endpoints (
/profile,/account,/api/me) → not cached
But sometimes:
- The cache decides based on the URL, not the backend logic
- The backend still serves authenticated content
- The cache stores it as if it were static
That’s the mistake we exploit.
Cache Deception is when private, authenticated content gets cached and becomes accessible to other users due to URL manipulation.