Bypassing SameSite Lax via Top‑Level Redirect: Web Cache Deception Attack Worth $2,000

1. Vulnerability Background

The target is a self‑registration booking platform running on cloud infrastructure. After login the application stores the session JWT in a cookie and also injects the token directly into the home page’s JavaScript.

2. Cache Mechanism and Core Concepts

2.1 What is Caching

In modern cloud architectures a reverse proxy, CDN or load balancer sits between the client and the application server. The proxy copies the original response and stores it; subsequent identical requests are served from the copy.

Cache status is indicated by the X‑Cache response header, which can be MISS (fresh response from origin) or HIT (served from cache).

Most applications cache the home page because its static content is identical for all visitors. Private user‑specific pages should never be cached.

2.2 Web Cache Deception (WCD)

WCD occurs when a page that contains private data is mistakenly cached. An attacker who later requests the same URL receives the cached page containing another user’s sensitive information.

2.3 Web Cache Poisoning (WCP)

WCP differs: the attacker first finds a cached page and injects malicious content (e.g., via XSS) so that future users receive the poisoned version.

3. Discovery Process

After authenticating, the researcher was redirected to the home page. The initial response header contained X-Cache: MISS and no Cache‑Control: private, indicating the page was eligible for caching.

Repeating the request with a tool showed X-Cache: HIT, confirming the page had been cached.

Inspecting the cached HTML revealed that the authenticated user’s JWT was embedded in a <script> block, meaning the token would be stored in the shared cache.

4. Exploitation

4.1 Cache Overwrite Attack

Because the home page is cached with the JWT, an attacker can force a victim to request a URL that includes a random cache‑buster parameter (e.g., ?cb=123). The proxy treats this as a new request, caches the victim’s response, and the attacker later fetches the same URL to steal the JWT.

https://target.com/?cacheBuster=1

4.2 SameSite Cookie Barrier

Attempting to deliver the malicious link via an <img> tag failed because browsers apply the default SameSite=Lax policy, which prevents cookies from being sent with cross‑site sub‑resource requests.

4.3 Bypassing SameSite with Top‑Level Navigation

Top‑level navigation (a full‑page redirect) is exempt from the SameSite=Lax restriction. The researcher used two methods to trigger it:

Meta‑refresh redirect : an HTML page containing

<meta http‑equiv="refresh" content="0; url=https://www.target.com/?cacheBuster=1">

automatically redirects the browser.

User‑initiated link : a normal <a href="…"> element as a fallback.

<!DOCTYPE html>
<html>
<head>
  <title>WCD PoC</title>
  <meta http-equiv="refresh" content="0; url=https://www.target.com/?cacheBuster=1">
</head>
<body>
  <h3>Redirecting for PoC verification…</h3>
  <p>If the automatic redirect fails, <a href="https://www.target.com/?cacheBuster=1">click here</a>.</p>
</body>
</html>

When the victim’s browser performed the top‑level redirect, the cookie was attached, the response was cached, and the attacker could retrieve the cached JWT by requesting the same URL.

5. Impact and Bounty

The vulnerability allows an attacker to steal any user’s JWT and impersonate the account. It was rated HIGH severity, and the researcher received a $2,000 bounty.

March 4 – report submitted

March 11 – report acknowledged

March 13 – additional details provided

March 19 – classification and $2,000 payout

May 7 – fix deployed (additional $50 retest reward)

May 8 – issue closed

6. Takeaways

SameSite=Lax protects against ordinary cross‑site requests but not against top‑level navigation.

Caching the home page is fine; embedding private data such as JWTs in a publicly cached response creates a severe leak.

Combining two seemingly harmless configurations—public caching of the home page and the default SameSite setting—forms a complete account‑hijack chain.

Defenders should assess attack chains rather than isolated flaws and consider both cache policies and cookie attributes when handling authentication tokens.