Client-Side Cache Manipulation (CSCM) refers to a type of security vulnerability where an attacker can manipulate or tamper with the client-side cache mechanisms, such as browser cache or local storage, to gain unauthorized access or privileges within a web application. This vulnerability arises when a web application relies on client-side storage to store critical information or session data that should ideally be managed and validated on the server-side.
I have found this vulnerability on one of the private program on HackerOne platform. There was an option to create a poll where I created a poll with four different options. Now a user can only vote for one time to the poll. I voted for option A and then all the other options were disabled. So I cleared my browser’s cache and again visited the poll that I created, and it was showing that I have already voted however the other options were enabled so I was able to vote again. Now this time I selected option B to vote and it was successful and I repeated this process for all the voting options. The surprising part here is, if you vote for option A, clear your browser’s cache and again vote for option B then the previously voted option A still remains the same which means you can vote for multiple options by clearing your browser’s cache every time.
Anatomy of Client-Side Cache Manipulation
In the voting vulnerability scenario, the website allows users to vote in a poll and it uses client-side storage to track user’s votes. When I voted for option A, the website stored this information in the browser’s cache or local storage.
- Use of Client-Side Storage: Web applications often use client-side storage mechanisms for various purposes, such as storing user preferences, session tokens or other application-specific data. Common client-side storage mechanisms include cookies, local storage and session storage.
- Lack of Server-Side Validation: The vulnerability arises when the web application does not perform sufficient server-side validation and relies primarily on data stored in client-side storage. In the case of the voting vulnerability, the server did not adequately verify whether a user has already voted.
Vulnerability Example Scenario:
In the voting vulnerability scenario, after I voted for option A, the website stored this information in the browser’s local storage.
Now I cleared the browser cache and the client-side storage data is reset but the server-side data still keeps the information that I voted for option A. Now as the browser’s cache is cleared I will be able to vote again for different option and my 1st choice (option A) still remains intact.
As soon as I vote for option B the browser will store the information again for option B.
This way I can repeat the cycle for all the options and manipulate the voting because the server side validation is not done.
How I found this vulnerability ?
- I created a poll with 4 different options
2. Then I voted for option B (VOTE 2) and checked the result
3. I cleared the browser’s cache, voted for option A (VOTE 1) again cleared the browser’s cache and voted for option D (VOTE 4)
Why this happened ?
In my opinion,
It happened because the web application was solely relying on client-side storage for application logic and data, especially in situations where the integrity of user actions like voting needs to be maintained.
It allows users to manipulate the system to cast multiple votes, potentially manipulate poll results or abusing the system’s functionality. In situations where the website’s functionality relies on accurate voting data this could undermine the integrity of the system.
Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Score: 5.3 Medium
There are two mitigations that should be applied to prevent this kind of vulnerabilities
- Server-Side Validation
Server-Side Tracking: Maintain all critical data and state information on the server-side. For example, in the voting vulnerability scenario, track which users have voted for which options on the server.
2. Use of Tokens
Unique Tokens: When users vote or perform other actions, generate unique tokens or identifiers on the server and associate them with the user’s actions. This prevents clients from manipulating data directly.
The website should should also do server-side validation and not rely solely on client-side storage.