πͺ Vary Header β
π What is the Vary Header ? β
The Vary header in HTTP responses is crucial for caching mechanisms. It informs the cache which parts of the request headers it should consider when creating the cache key. Essentially, the Vary header tells the cache which variations in request headers should result in separate cached versions of the content.
For example, if a response varies based on the User-Agent or Accept-Language headers, the server will include these headers in the Vary header.
π» Example β
In this example, the server returns the Vary header with the value User-Agent. This means that the cache key will correspond to the value of the User-Agent. This allows caching of specific pages for different User-Agent values (desktop, mobile, tablet).
To trap a user, we could fuzz and cache the default User-Agents :
- Desktop - Chrome :
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 - Mobile - Safari :
Mozilla/5.0 (iPhone; CPU iPhone OS 14_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1 - Mobile - Chrome :
Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Mobile Safari/537.36 - Desktop - Firefox :
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:127.0) Gecko/20100101 Firefox/127.0
This method seems guessy. Other solutions, such as HTML injection, could be used to retrieve a user's User-Agent value.