Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Cache Deception Attack

422 views

Published on

Web Cache Deception Attack: A new web attack vector affecting many web frameworks and caching mechanisms. Slides are from Black Hat USA 2017.

White Paper:
https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view?usp=sharing

Original blog:
https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web Cache Deception Attack

  1. 1. WEB CACHE DECEPTION ATTACK Omer Gil
  2. 2. No SID
  3. 3. About me • Omer Gil • 28 • Married + Java • PT team leader at EY • Student @omer_gil omergil.blogspot.com
  4. 4. About caching
  5. 5. About caching CDN
  6. 6. About caching CDN
  7. 7. About caching CDN
  8. 8. About caching Load Balancer
  9. 9. About caching Load Balancer
  10. 10. About caching Load Balancer
  11. 11. About caching Load Balancer
  12. 12. About caching Reverse Proxy DMZ
  13. 13. About caching Reverse Proxy DMZ
  14. 14. About caching Stylesheet.css https://www.example.com/stylesheet.css
  15. 15. About caching Stylesheet.css https://www.example.com/stylesheet.css Stylesheet.css
  16. 16. About caching https://www.example.com/stylesheet.css Stylesheet.css
  17. 17. About caching https://www.example.com/stylesheet.css Stylesheet.cssStylesheet.css
  18. 18. /nonexistent.css Servers’ reactions http://www.example.com/account.php account.php The Spanner: http://www.thespanner.co.uk/2014/03/21/rpo/ XSS Jigsaw: http://blog.innerht.ml/page/2/
  19. 19. Servers’ reactions account.php /nonexistent.csshttp://www.example.com/account.php
  20. 20. Getting down to business “Hey, access https://www.bank.com/account.do/stylesheet.css” WAF!
  21. 21. Getting down to business The user browses to https://www.bank.com/account.do/stylesheet.css
  22. 22. Getting down to business https://www.bank.com/account.do/stylesheet.css returns with the content of account.do and the private page is cached
  23. 23. Getting down to business The attacker browses to https://www.bank.com/account.do/stylesheet.css and gets the content of the user’s account.do page
  24. 24. Getting down to business The attacker browses to https://www.bank.com/account.do/stylesheet.css and gets the content of the user’s account.do page
  25. 25. Demo
  26. 26. Conditions • Web cache functionality is set for the web application to cache static files based on their extensions, disregarding any caching header. • When accessing a page like http://www.example.com/home.php/nonexistent.css, the web server will return the content of home.php for that URL. • Victim has to be authenticated while accessing the triggering URL.
  27. 27. Why the HELL #1 would a web application react like this?
  28. 28. Why the HELL #1 Django: http://www.sampleapp.com/inbox/
  29. 29. Why the HELL #1 Django: http://www.sampleapp.com/inbox/test.css urls.py
  30. 30. Why the HELL #1 Django: urls.py http://www.sampleapp.com/inbox.css
  31. 31. Why the HELL #1 Django: http://www.sampleapp.com/inbox/test.css urls.py
  32. 32. Why the HELL #2 would a caching mechanism react like this?
  33. 33. Why the HELL #2 IIS ARR:
  34. 34. Why the HELL #2 IIS ARR: http://www.sampleapp.com/welcome.php/test.css
  35. 35. Why the HELL #2 IIS ARR: http://www.sampleapp.com/welcome.php/test.css
  36. 36. Why the HELL #2 Cloudflare: • Eligibility phase class, css, jar, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, docx, xls, xlsx, ps, pdf, pls, ppt, pptx, tif, tiff, ttf, otf, webp, woff, woff2, svg, svgz, eot, eps, ejs, swf, torrent, midi, mid https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/ https://blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html
  37. 37. Why the HELL #2 Cloudflare: • Disqualification phase ‘Edge cache expire TTL’ to the rescue!
  38. 38. Why the HELL #2 Cloudflare: https://blog.cloudflare.com/edge-cache-expire-ttl-easiest-way-to-override/
  39. 39. Mitigation • Only cache files if their HTTP caching headers allow • Store all static files in a designated directory • Cache files by their content type • Don’t accept this! http://www.example.com/home.php/non-existent.css. Return 302 or 404 instead
  40. 40. THANKS @omer_gil Icon vectors created by Freepik.com omergil.blogspot.com

×