Python implementation of the Web Cache Deception detection methodology presented in the paper "Web Cache Deception Escalates!" published at USENIX Security '22: Web Cache Deception Escalates!.
Detect WCD vulnerabilities in websites in a black-box manner.
usage: wcde.py -t example.comFor more information about the options, please see the help page.
usage: launcher.py -s sites.txtFor more information about the options, please see the help page.
Requires an account to be manually created on the website so that the attack URL is requested with valid authentication cookies, simulating a logged-in victim clicking on the malicious link.
The JSON cookies file contains a list of cookies and can be generated using the browser extension Cookie-Editor for Firefox or Chrome.
usage: wcde.py -t example.com -c example.com-cookies.jsonThe --path-confusion option allows adding more path confusion techniques from a JSON file structured as follows:
{
"EXAMPLE_ONE": "%2E%2E",
"EXAMPLE_TWO": "%2E%2E%3F%2E%2E"
}The --extensions option allows adding more file extensions separated by commas.
usage: wcde.py -t example.com --extensions ".pdf, .png, .jpg, .js, .css"pip install -r requirements.txtDE testing a vulnerable target with authentication.
- The code is provided as-is and is not guaranteed to detect all WCD vulnerabilities.
- If the script does not find any vulnerabilities, it does not necessarily mean that the website is not vulnerable.
- You should use this script only against websites that you own or control, or for which you have permission to perform security analysis.