Cache poisoning

1,627 views
1,420 views

Published on

Introduction presentation about web cache poisoning attacks

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,627
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
19
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Cand a fost descoperit, de cine
  • Cache poisoning

    1. 1. Cache Poisoning alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
    2. 2. Overview Intro Web Cache poisoning Related Attacks About HTTP Response Splitting Attack scenario Practical considerations 2 Software Security, FCS Iasi, 2013-2014
    3. 3. About Web Cache poisoning Domain pioneered by Amit Klein, formerly Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged. 3 Software Security, FCS Iasi, 2013-2014
    4. 4. Related attacks & vulnerabilities Web Cache poisoning is based on HTTP Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information 4 Software Security, FCS Iasi, 2013-2014
    5. 5. HTTP Response Splitting Forcing an originator of HTTP messages to emit 2 (or more) valid (RFC-compliant) messages instead of one. The result of the application’s failure to reject illegal user input (malicious/unexpected CR&LF characters – may be found especially in Location and Set-Cookie headers) 5 Software Security, FCS Iasi, 2013-2014
    6. 6. Response Splitting Example [5]  JSP page (say http://www.the.site/welcome.jsp?lang=...) <% response.sendRedirect(“/by_lang.jsp?lang=“ + request.getParameter(“lang”)); %>  Normal request: http://www.the.site/welcome.jsp?lang=Romanian  Normal Response: HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Romanian Connection: Keep-Alive Content-Length: 0 6 Software Security, FCS Iasi, 2013-2014
    7. 7. Example – continued [5]  Attack request http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length: %200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>  Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo Will be interpreted as Response # 1 Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Will be interpreted as Response # 2 !!Injected by attacker!! Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive Content-Length: 0 … 7 Software Security, FCS Iasi, 2013-2014 Superfluous data, does not conform to the HTTP Standard
    8. 8. Cache Poisoning Attack Difficult to carry-out in real environment. (many conditions and pre-requisites) 1) Find a web resource vulnerable to HTTP Response Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server 8 Software Security, FCS Iasi, 2013-2014
    9. 9. Attacker - Practical Aspects [4] Maintain the poisoned resource Last-Modified header with a future time value Send the cache poisoning attack every x minutes? Execute all requests immediately one after another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.): Where the second message starts? 9 Software Security, FCS Iasi, 2013-2014
    10. 10. Victims – Practical Aspects [4] Web Application Developers VALIDATE INPUT!! Remove CRs and LFs before embedding data to HTTP response headers (Location and SetCookie especially) Web application engine vendors Disallow CR & LF characters in all HTTP response headers (requirement for RFC 2616) Proxy vendors Avoid sharing server TCP connection among different clients / virtual hosts 10 Software Security, FCS Iasi, 2013-2014
    11. 11. Bibliography 1) OWASP page for Web cache poisoning https://www.owasp.org/index.php/Cache_Poisoning 1) OWASP page for HTTP Response Splitting https://www.owasp.org/index.php/HTTP_Response_Splitting 1) 2) 3) 4) OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 China's Great Firewall spreads overseas http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_s preads_overseas 11 Software Security, FCS Iasi, 2013-2014

    ×