Release notes from Web-Cache-Vulnerability-Scanner

2.0.0 - Architectural, Detection and Reliability Improvements

2025-08-24T14:13:35Z

This release represents a major milestone with significant architectural improvements, enhanced detection capabilities, and better overall performance and reliability.

🚀 Major Performance Improvements

HTTP Client Rewrite

Complete rewrite: Replaced net/http with fasthttp for significantly improved performance and the possibility to create RFC-violating requests which may lead to web cache poisoning.
Improved URL handling: Better parsing and processing of URLs throughout the application

🔍 Enhanced Detection Capabilities

New Cache Indicators

Added support for multiple cache indicator headers:
- eo-cache-status indicator
- Netlify cache status indicator
- x-kinsta-cache and x-ac indicators
Enhanced detection of cache behavior through multiple indicators being returned simultaneously

Improved Parameter Analysis

Parameter encoding technique: New method for detecting cache poisoning vulnerabilities
Enhanced parameter detection: Better identification of impactful or unkeyed parameters
Status code analysis: Different status codes now used as indicators for impactful parameters
UTM parameter expansion: Added gad_campaignid to UTM parameters list

🛡️ New Attack Techniques

Denial of Service (DoS) Enhancements

New DoS techniques: Multiple new methods for testing cache-based DoS vulnerabilities
NextJS-specific techniques: Targeted DoS methods for NextJS applications
Enhanced DoS headers: Added more DoS headers with metacharacters
Simplified HHO DoS: Streamlined Host Header Override DoS testing

Advanced Poisoning Methods

Host header poisoning: Support for setting multiple host headers
Parameter poisoning improvements: Enhanced existing parameter poisoning detection
X-Original-URL redirect test: New redirect-based testing method
Non-RFC-compliant headers: Support for testing with headers that don't follow RFC standards

📊 Reporting and Analysis Improvements

Enhanced Reporting

Improved report structure: Better organization and verbosity in reports
Reflection context: Show reflections with proper context in reports
Comprehensive reflection reporting: Report all reflections with counts for body and header names
Better file naming: Improved file naming scheme for generated reports

Cache Analysis Enhancements

Aligned cache analysis: Consistent analyzation methods for both deception and poisoning
Improved cache validation: Better detection of cache behavior
CSS poisoning optimization: Only check 200 responses for CSS poisoning (false positive mitigation)

🕷️ Crawler Improvements

Reliability and Performance

Enhanced crawler stability: Fixed multiple null pointer exceptions and index out of range errors
Improved link processing: Better handling of crawled links, especially those beginning with //
CSS URL handling: Fixed processing of CSS URLs containing cache busters
Data URL filtering: Prevent crawling of data: URLs
Relative URL fixes: Better handling of relative URL paths

Crawling Optimizations

Cache buster handling: Fixed issues with cache busters being incorrectly appended
Response filtering: Only process relevant responses for deception testing

🔧 Configuration and Usability

New Configuration Options

Reason type selection: New flag to choose specific reason types for testing
Multiple host headers: Support for configuring multiple host headers
Logging control: Default to not generate logs (can be overridden)
Limiter for deception: Added rate limiting for deception testing

User Experience Improvements

Better error handling: Print banner even when fatal errors occur during flag parsing
Improved reason formatting: Better formatting of reasons starting with reason type
Enhanced print output: Improved formatting for response splitting false positives and reflections

🐛 Bug Fixes and Stability

Critical Fixes

Response splitting false positives: Improved detection to reduce false positives
Parameter value overwrites: Fixed potential false positives when parameter values are overwritten
HTTP detection: Fixed false positives when headers contain http(s)
Index bounds: Multiple fixes for index out of range errors
Null pointer exceptions: Resolved various null pointer issues in crawler

Minor Improvements

Dependency updates: Upgraded project dependencies
Code cleanup: Various minor improvements and optimizations
Typo corrections: Fixed multiple typos throughout the codebase

📈 Performance Optimizations

Deception efficiency: Improved cache deception reliability and efficiency
Response processing: Optimized response handling and analysis
Memory usage: Better memory management through fasthttp adoption
Processing speed: Significant performance improvements across all testing methods

1.4.3 - Header Poisoning Bug Fix

2025-06-16T05:25:51Z

A large update with many improvements and new techniques is coming soon. In the meantime, this release contains a bug fix.

Changelog

Bug Fix regarding Header Poisoning by @riramar
PR: #24

1.4.2 – Bug Fixes and Enhancements in Header/Parameter Testing

2025-05-14T11:23:34Z

Changelog

Improved parameter/header poisoning detection
Query parameters from URLs and values provided via flags are now properly tested.
Commit: f0e11e4
Fixed false positives from common poison values
Values like http or https no longer trigger incorrect results.
Commit: 2067c82
Fixed scanning of headers specified via flags
Header-based scans now respect user-specified input correctly.
Commit: bc341a7
Crawler now ignores non-HTTP links
href attributes beginning with tel: or ftp: are excluded from crawling.
Commit: 31df77d
Improved output formatting before flag parsing
Output is now cleaner and more informative before flags are parsed.
Commit: 0def2ad
Updated project dependencies
Brings in latest versions for external packages.
Commit: 538043a
Replaced custom method with slices.Contains
Simplified logic by using the standard library for value checks.
Commit: 63558e5

Version 1.4.0 - Improved and new techniques, hardcoded wordlists & much more

2025-04-17T16:02:32Z

Improved and new techniques

improved parameter scanning
improved parameter cloaking
improved fat get
added parameter pollution as new technique

Hardcoded wordlists

The wordlists used for parameters and headers are now hardcoded into wcvs. This means that from now on you only need to specify wordlists if you want to use other than the default ones

Improved Cachebuster Detection

The random cachebuster values now have a cb prefix, while the random poison values now have a p prefix
This makes it easier to tell if a value is a cachebuster or poison value. Especially when the cachebuster parameter is also vulnerable to e.g. parameter pollution.

Better poison and cachebuster values

The random cachebuster values have now a prepended cb, while the random poison values have now a prepended p
Thus, it's easier to differentiate if a value is a cachebuster or poison value. Especially if the cachebuster parameter is also vulnerable to e.g. parameter pollution.

Improved Output

Better formatting
Showing the correct cachebuster name

New Flags

skipwordlistcachbuster: skip using wordlists when trying to find a cachebuster
nolog: do not create a log file

Misc

upgraded dependencies
updated chrome useragent

Version 1.3.3 - Forcing checks now sets a default cachebuster

2024-12-25T09:46:04Z

changed default cb name to cbwcvs 3ba438c
forcing checks now forces parameter cbwcvs as cb 0b8faf9

Version 1.3.2 - Minor Web Cache Deception and Response Splitting Improvements

2024-12-25T09:12:19Z

Misc

Only add successful web cache deception requests to the report bc7698d
improve/fix the check whether the cache returns always a miss 3aa9823
improved responsesplitting feedback 1843b90

Version 1.3.1 - Fixed Deadlocks and Web Cache Deception Bug

2024-12-22T13:46:56Z

Bug Fixes

Fixed Dead Locks 14c0aa5
Fixed "Invalid URL escape" error when performing web cache deception chekcs 44d66d4

Misc

Ignore 400 and 404 Status Code when performing web cache deception checks 585f5bf
Updated deps 87bc2d5

Version 1.3.0 - Improved Cache Deception, Kali Linux & more

2024-11-06T13:15:00Z

Kali Linux

WCVS was finally added to Kali Linux' repository. Here are the install instructions.

Web Cache Deception Improvements

WCVS' web cache deception detections were improved by multiple new techniques. Further WCVS will also check for web cache deception if no cache indicator was spotted beforehand.

New Flag: -skiptimebased/--stime

This new flag will tell WCVS to not use measure time as a last resort to guess if a response was cached or not. The time measurements may indicate a cache even if there is none, eventually leading to unnecessary tests being performed.

Miscellaneous

All dependencies were updated.

Full Changelog: 1.2.1...1.3.0

Version 1.2.1 - IgnoreStatus flag

2024-03-20T08:17:24Z

New Feature

The --ignorestatus / -is flag was added. It can be used to prevent false positives if, for example, a WAF is changing the status code to 429 Too Many Requests.

Usage: ./wcvs -is 418,429 -u https://example.com

Changelog

added ignorestatus flag 54fb082 3c64fa0 08dbe83 161ed80
updated deps 57e96de

Version 1.2.0 - Web Cache Deception Detection

2024-02-09T14:00:35Z

Web Cache Deception

The WCVS now detects Web Cache Deception. It uses various techniques for this purpose:

Path Parameter
Path Traversal
Appended Newline, Null Byte, Semicolon, Pound, Question Mark or Ampersand

In summary, WCVS's procedure is as follows:
If the cache returns a HIT, it is tested for web cache poisoning. If the cache always returns a MISS, it is tested for web cache deception.

Changelog

Added Web Cache Deception Detection d773d4b 8a52b8b accdb13
Added support for more common cache headers (from GoogleCloud, RackCache, Akamai & more) c6789a6
Added Web Cache Deception & Bachelor's Thesis to the Readme 3c237c0 127125e