# Feature Request: Web Cache Deception & Poisoning Scanner
## Overview
As more applications rely on heavy caching layers (Cloudflare, Fastly, Akamai), misconfigurations between the origin server and the cache server lead to severe vulnerabilities:
1. **Web Cache Deception (WCD)**: Tricking the cache into storing authenticated data (like `/profile`) on a static extension (like `/profile/app.js`), allowing attackers to steal session data.
2. **Web Cache Poisoning (WCP)**: Injecting unkeyed HTTP headers (like `X-Forwarded-Host`) that get cached and served to innocent users.
## Implementation Requirements
1. **New Module**: Create `src/cache_security.rs`.
2. **Cache Deception Probing**:
- Identify an authenticated or sensitive endpoint (e.g., `/api/user`).
- Append static extensions (e.g., `/api/user/test.css`, `/api/user%3f.jpg`).
- Analyze the `X-Cache` or `Cf-Cache-Status` headers to see if the response was cached (e.g., `HIT`).
3. **Cache Poisoning Probing**:
- Send requests with common unkeyed headers (e.g., `X-Forwarded-Host: poison.com`, `X-Original-URL: /poison`).
- Check if the response reflects `poison.com`.
- Send the request again without the header and see if the poisoned response is served from the cache.
## Why is this Pro-Level?
Cache vulnerabilities are complex and highly dependent on the target's infrastructure. Automating the discovery of WCD and WCP is a feature usually reserved for enterprise Dynamic Application Security Testing (DAST) tools like Burp Suite Pro.