History

Stefan Etringer 4427517c17 bump		2022-05-31 21:08:28 +02:00
..
Intruders	bump	2022-05-31 21:08:28 +02:00
README.md	bump	2022-05-31 21:08:28 +02:00

README.md

Web Cache Deception Attack

Tools

Param Miner - PortSwigger

This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.

Exploit

Browser requests http://www.example.com/home.php/non-existent.css.
Server returns the content of http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page.
The response goes through the proxy.
The proxy identifies that the file has a css extension.
Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.

Methodology of the attack - example

Normal browsing, visit home : https://www.example.com/myaccount/home/
Open the malicious link : https://www.example.com/myaccount/home/malicious.css
The page is displayed as /home and the cache is saving the page
Open a private tab with the previous URL : https://www.paypal.com/myaccount/home/malicous.css
The content of the cache is displayed

Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page

Methodology 2

Find an unkeyed input for a Cache Poisoning

Values: User-Agent
Values: Cookie
Header: X-Forwarded-Host
Header: X-Host
Header: X-Forwarded-Server
Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
Header: X-Original-URL (Symfony)
Header: X-Rewrite-URL (Symfony)

Cache poisoning attack - Example for X-Forwarded-Host unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)

GET /test?buster=123 HTTP/1.1
Host: target.com
X-Forwarded-Host: test"><script>alert(1)</script>

HTTP/1.1 200 OK
Cache-Control: public, no-cache
[..]
<meta property="og:image" content="https://test"><script>alert(1)</script>">