web-cache-vulnerability-scanner
web-cache-vulnerability-scanner (wcvs) is a CLI tool for testing web cache poisoning and web cache deception vulnerabilities. It probes HTTP headers, query parameters, and cache keys to identify misconfigured caches that can be abused to poison responses served to other users.
Description
wcvs automates the detection of web cache vulnerabilities by sending crafted HTTP requests with injected headers and parameters that should not be part of the cache key. If a poisoned response is cached and served to subsequent requests, the cache is considered vulnerable. It supports testing for both cache poisoning (attacker injects malicious content into cached responses) and cache deception (sensitive responses are incorrectly cached). The tool integrates with Burp Suite and supports custom header injection wordlists.
How It Works
wcvs sends a baseline request to establish a cache hit fingerprint, then injects candidate headers and query parameters one at a time. If an injected value appears in the response and the subsequent cache-hit request also reflects it, the parameter or header is flagged as a cache oracle. The tool then confirms exploitability by checking whether the poisoned entry is served to a clean request. Results are categorised by severity and technique.
Installation
sudo apt install -y web-cache-vulnerability-scannerFlags
Examples
wcvs -u https://target.comwcvs -u https://target.com -a deceptionwcvs -u https://target.com -H /usr/share/wcvs/headers.txtwcvs -u https://target.com --proxy http://127.0.0.1:8080wcvs -u https://target.com -o results.json