SkillAgentSearch skills...

CacheDecepHound

This tool is an efficient scanner designed to detect Cache Deception vulnerabilities in web servers. It automates the process of testing URLs by using customizable delimiters and extensions, with multi-threading support for improved speed.

GenerateConvertImprove

Install / Use

/learn @g4nkd/CacheDecepHound
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

CacheDecepHound

This tool is designed to test for web cache deception vulnerabilities by exploiting discrepancies in how web servers and caches handle URL paths, delimiters, and static resources. It automates the process of identifying and exploiting these vulnerabilities, making it easier for security researchers and penetration testers to assess the security of web applications.

Additionally, CacheDecepHound employs discreet web poisoning by randomizing parameters during tests to avoid detection and minimize the impact on the site's traffic.

Features

  • Path Delimiter Testing (PD): Identifies discrepancies in how delimiters are interpreted by the origin server and the cache.
  • Origin Server Normalization (OSN): Tests for vulnerabilities where the origin server normalizes URL paths differently than the cache.
  • Cache Server Normalization (CSN): Exploits discrepancies in how the cache server normalizes URL paths compared to the origin server.
  • File Name Cache Rules (FNCR): Tests for vulnerabilities related to how common files (e.g., robots.txt, index.html) are cached.
  • Static Resource Detection: Automatically detects static resource directories and uses them to craft test URLs.
  • Multi-threaded Testing: Utilizes multiple threads to speed up the testing process.
  • Verbose Output: Provides detailed information about each test, including response headers and cache behavior.

Installation

  1. Clone the repository to your local machine:

    git clone https://github.com/g4nkd/CacheDecepHound.git

  2. Navigate to the project directory:

    cd CacheDecepHound

  3. Install the required dependencies:

    pip install -r requirements.txt

Options

  • -H, --header: Add a custom header to the requests (e.g., Authorization: Bearer token).
  • -w, --wordlist: Path to a custom wordlist of delimiters.
  • -e, --extensions: Comma-separated list of file extensions to test (default: .js,.css,.png).
  • -T, --technique: Specify the technique to use (pd, osn, csn, fncr).
  • -r: Recursion depth for OSN/CSN testing (default: 1).
  • -v, --verbose: Enable verbose output.
  • -t, --threads: Number of threads to use (default: 10).
  • -p, --proxy: Use a proxy for requests (e.g., http://127.0.0.1:8080).

Example Commands

  1. Basic Test with Default Settings:

    python cdhound.py https://example.com/profile -H "Cookie: XXX"

  2. Test with Custom Delimiters and Extensions:

    python cdhound.py https://example.com/my-account -H "Cookie: XXX" -w delimiters.txt -e .js,.css,.html

  3. Test with Specific Technique (OSN):

    python cdhound.py https://example.com/profile -H "Cookie: XXX" -T osn -r 2

  4. Test with Proxy and Verbose Output:

    python cdhound.py https://example.com/account -H "Cookie: XXX" -p http://127.0.0.1:8080 -v

Techniques Explained

Path Delimiter Testing (pd)

This technique tests for discrepancies in how delimiters (e.g., ;, ,, #) are interpreted by the origin server and the cache. If the origin server treats a character as a delimiter but the cache does not, it may be possible to craft a URL that is interpreted differently by each, leading to cache deception.

Origin Server Normalization (OSN)

OSN exploits discrepancies in how the origin server normalizes URL paths compared to the cache. For example, if the origin server resolves path traversal sequences (e.g., /static/..%2fprofile) but the cache does not, an attacker can craft a URL that returns sensitive information from the origin server, which is then cached and served to other users.

Cache Server Normalization (CSN)

CSN is the inverse of OSN. It exploits cases where the cache normalizes URL paths but the origin server does not. By crafting a URL that the cache interprets differently than the origin server, an attacker can cause the cache to store and serve sensitive information.

File Name Cache Rules (FNCR)

This technique targets cache rules that are based on specific file names (e.g., robots.txt, index.html). By appending these file names to dynamic URLs, an attacker can cause the cache to store and serve dynamic content as if it were a static file.

Labs

You can test my tool in this lab:

For more information on web cache poisoning and deception, refer to the PortSwigger Web Security Academy and Gotta Cache ‘em all bending the rules of web cache exploitation.

Related Skills

node-connect

347.2k

Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps

frontend-design

108.0k

Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.

openai-whisper-api

347.2k

Transcribe audio via OpenAI Audio Transcriptions API (Whisper).

qqbot-media

347.2k

QQBot 富媒体收发能力。使用 <qqmedia> 标签,系统根据文件扩展名自动识别类型(图片/语音/视频/文件)。

g4nkd

View profile

View on GitHub
GitHub Stars35
CategoryDevelopment
Updated1mo ago
Forks4
g4nkd/CacheDecepHound

Languages

Python

Security Score

75/100

Audited on Feb 11, 2026

No findings