## Before (Make sure to make things secure)
- Add cache buster
- test headers (Param Miner)

- Get /my-account
- Get /my-account/abc ---> 404? origin server doesn't abstract path to /my-account
- Get /my-accountabc  ---> 404? no evidence of caching.
- Get /my-account§§abc (Intruder) Delimiter discrepancies (find path delimiter)

---------------------------------------------------------------------------------
## Path Caching
- Get /<arbitrary directory>/..%2fmy-account ---> See how it resolve 200 | 400
- Try encoding or not the Delimiter discrepancies
- Find a ressource that work with caching (Images, ressources, ...)

---------------------------------------------------------------------------------
## If the cache server resolves encoded dot-segments but the origin server doesn't, you can exploit this by crafting a payload like this:
- Get /<dynamic-path>%2f%2e%2e%2f<static-directory-prefix> (encoding ..)
- ex: /profile%2f%2e%2e%2fstatic
	- The cache interprets the path as: /static
	- The origin server interprets the path as: /profile%2f%2e%2e%2fstatic

- ex: /profile;%2f%2e%2e%2fstatic
	- The cache interprets the path as: /static
	- The origin server interprets the path as: /profile

- Use delimiter & cached path /my-account?%2f%2e%2e%2fresources

- Use certain files (robots.txt, index.html, and favicon.ico)
- /profile%2f%2e%2e%2findex.html

---------------------------------------------------------------------------------
## Other Technique

X-Forwarded-Host: domain.com ---> See if it will load ressource with this domain
2x host                      ---> Add two host and see if the ressource '''

# Header
- X-Cache: hit        ---> The response was served from the cache.
- X-Cache: miss       ---> The cache did not contain response for request's key.
- X-Cache: dynamic    ---> The origin server dynamically generated the content.
- X-Cache: refresh    ---> The cached content is outdated and needed refreshed.

- Cache-Control       ---> directive that indicates caching (public, max-age, ...)
  
# Mapping
- URL mapping         ---> http://example.com/path/in/filesystem/resource.html
- REST-style          ---> http://example.com/path/resource/param1/param2 

# Delimiter discrepancies

Combine encoding techniques with path traversal to expand the testing scope.

- ?                   ---> /profile?foo
- ;                   ---> /profile;foo.css
- .                   ---> /profile.css
- ;
- :
- #                   ---> /profile#abc.js & /profile%23wcd.css (Encoded)
- [ or ]
- @
- !
- $
- &
- "
- ( or )
- *
- +
- =
- %00                 ---> /profile%00foo.js

/myaccount%3fwcd.css  ---> CDN cach, server decodes & no cache due to mismatch (?)
%00, %0A and %09

# Static file extension rules
- .css
- .js
- .pdf
- .ico
- .jpeg
- .jpg
- .gif
- .csv
- .xsl
- .exe
- .bin
- ...

# Static directory rules
- /static
- /assets
- /scripts
- /images
- /resources

# File name rules
- robots.txt
- favicon.ico

# Difference in response (check fdor the same response)
- /my-account  ---> /my-account/abc  ---> /my-account/abc.js
- /my-account  ---> /my-account;abc  ---> /my-account;abc.js

# Detecting normalization
- Send a request to a non-cacheable resource with a path traversal
    - Ex: /profile ---> /aaa/..%2fprofile
- If the response matches the base response and returns the profile information, this indicates that the path has been interpreted as /profile
- If the response doesn't match the base response, for example returning a 404 error message, this indicates that the path has been interpreted as /aaa/..%2fprofile

# Exploiting normalization
- /<static-directory-prefix>/..%2f<dynamic-path>
- /assets/..%2fprofile
	- CDN      ---> /assets/..%2fprofile
	- Server   ---> /profile