Web Cache Deception Attack

•Download as PPTX, PDF•

3 likes•1,296 views

This document describes a web cache deception attack where an attacker can exploit how web servers and caching mechanisms handle requests for non-existent files. Specifically, if a request is made for a page plus a non-existent file extension, like http://www.example.com/account.php/stylesheet.css, some systems will return the content of the page rather than a 404. This allows an authenticated user's private page to be cached and then accessed by an attacker. The document provides examples of frameworks like Django and servers like IIS that can be exploited this way. It also discusses how caching services like Cloudflare have addressed this issue. Mitigations are proposed like only caching files if headers allow it and returning 302/404

Technology

About me
• Omer Gil
• 28
• Married + Java
• PT team leader at EY
• Student
@omer_gil omergil.blogspot.com

About caching
Stylesheet.css
https://www.example.com/stylesheet.css

About caching
Stylesheet.css
https://www.example.com/stylesheet.css
Stylesheet.css

About caching
https://www.example.com/stylesheet.css
Stylesheet.css

About caching
https://www.example.com/stylesheet.css
Stylesheet.cssStylesheet.css

/nonexistent.css
Servers’ reactions
http://www.example.com/account.php
account.php
The Spanner: http://www.thespanner.co.uk/2014/03/21/rpo/
XSS Jigsaw: http://blog.innerht.ml/page/2/

Servers’ reactions
account.php
/nonexistent.csshttp://www.example.com/account.php

Getting down to business
“Hey, access
https://www.bank.com/account.do/stylesheet.css”
WAF!

Getting down to business
The user browses to
https://www.bank.com/account.do/stylesheet.css

Getting down to business
https://www.bank.com/account.do/stylesheet.css
returns with the content of account.do
and the private page is cached

Getting down to business
The attacker browses to
https://www.bank.com/account.do/stylesheet.css
and gets the content of the user’s account.do page

Conditions
• Web cache functionality is set for the web application to cache static files
based on their extensions, disregarding any caching header.
• When accessing a page like
http://www.example.com/home.php/nonexistent.css, the web server will
return the content of home.php for that URL.
• Victim has to be authenticated while accessing the triggering URL.

Why the HELL #1
would a web application react like this?

Why the HELL #1
Django:
http://www.sampleapp.com/inbox/

Why the HELL #1
Django:
http://www.sampleapp.com/inbox/test.css
urls.py

Why the HELL #1
Django:
urls.py
http://www.sampleapp.com/inbox.css

Why the HELL #2
would a caching mechanism react like this?

Why the HELL #2
IIS ARR:
http://www.sampleapp.com/welcome.php/test.css

Why the HELL #2
Cloudflare:
• Eligibility phase
class, css, jar, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, docx, xls, xlsx, ps, pdf,
pls, ppt, pptx, tif, tiff, ttf, otf, webp, woff, woff2, svg, svgz, eot, eps, ejs, swf, torrent,
midi, mid
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
https://blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html

Why the HELL #2
Cloudflare:
• Disqualification phase
‘Edge cache expire TTL’ to the rescue!

Why the HELL #2
Cloudflare:
https://blog.cloudflare.com/edge-cache-expire-ttl-easiest-way-to-override/

Mitigation
• Only cache files if their HTTP caching headers allow
• Store all static files in a designated directory
• Cache files by their content type
• Don’t accept this! http://www.example.com/home.php/non-existent.css.
Return 302 or 404 instead

THANKS
@omer_gil
Icon vectors created by Freepik.com
omergil.blogspot.com

What's hot

Adobe Experience Manager (AEM) is an enterprise-grade CMS. It’s used by high-profile companies like Linkedin, Apple, Mastercard, Western Union, Cisco, General Motors, and others. AEM is built on top of the Apache Sling, Apache Felix and Apache Jackrabbit Oak projects. In the talk, the author will share unique methodology on how to approach AEM weabpps in pentests or bug bounty programs. Misconfiguration issues, as well as product vulnerabilities, will be covered in the talk, including newly discovered vulnerabilities for which Adobe PSIRT assigned CVE ids. The author will share automation tool for discovering vulnerabilities and misconfigurations discussed in the talk.

Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps

hacktivity

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications. In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application. In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

A Hacker's perspective on AEM applications security

Mikhail Egorov

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism. Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

Soroush Dalili

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.

Mikhail Egorov

Windows File Pseudonyms

BaronZor

Polyglot payloads in practice by avlidienbrunn at HackPra

Mathias Karlsson

Waf bypassing Techniques

Avinash Thapa

PHP 5.5ネーティブキャッシュの話

Rui Hirokawa

Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition

Soroush Dalili

In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets. Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.

OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies

Frans Rosén

窺探職場上所需之資安專業技術與能力 Tdohconf

jack51706

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter

Masato Kinugawa

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

Naoki Nagazumi

HTTP Request Smuggling via higher HTTP versions

neexemil

bashでWebブラウザ(Selenium WebDriver)を動かした話

洋史東平

2023 COSCUP - Whats new in PostgreSQL 16

José Lin

RLSを用いたマルチテナント実装 for Django by Takayuki Shimizukawa 複数のテナント（チーム・組織）向けにサービスを提供するシステムで、テナント相互の情報を分離して扱う、複数のマルチテナントアーキテクチャが考案されています。「各プログラマが努力して実装する」戦略でも実現はできますが、プログラミングミスや設定間違いによるデータ混濁が高確率で発生します。このトークでは、マルチテナントアーキテクチャにおけるデータ分割アプローチのひとつ「共有アプローチ」をDjangoとPostgresのRow Level Security (RLS) の組合せで安全に実現する方法を紹介します。またこの方法のメリット、デメリットを紹介します。 https://djangocongress.jp/

RLSを用いたマルチテナント実装 for Django

Takayuki Shimizukawa

WordPress Theme Development

Bijay Oli

Golangにおける端末制御リッチなターミナルUIの実現方法

Masashi Shibata

Many enterprise are implementing Hadoop projects to manage and process large datasets. Big question is: how to configure Hadoop clusters to connect to enterprise directory containing 100k+ users and groups for access management. Several large enterprises have complex directory servers for managing users and groups. Many advanced features have been recently added to Hadoop user management in order to support various complex directory server structures. In this session attendees will learn about: setting up Hadoop node with users from Active Directory for executing Hadoop jobs, setting up authentication for enterprise users, and setting up authorization for users and groups using Apache Ranger. Attendees will also learn about the common challenges faced in the enterprise environments while interacting with Active Directory including filtering out users to be brought into Hadoop from Active Directory, restricting access to a set of users from Active Directory, handling users from nested group structures, etc. Speakers Sailaja Polavarapu, staff Software Engineer, Hortonworks Velmurugan Periasamy, Director - Engineering, Hortonworks

Managing enterprise users in Hadoop ecosystem

DataWorks Summit

What's hot (20)

Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps

A Hacker's perspective on AEM applications security

WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour

What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.

Windows File Pseudonyms

Polyglot payloads in practice by avlidienbrunn at HackPra

Waf bypassing Techniques

PHP 5.5ネーティブキャッシュの話

Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition

OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies

窺探職場上所需之資安專業技術與能力 Tdohconf

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter

アプリ開発で知っておきたい認証技術 - OAuth 1.0 + OAuth 2.0 + OpenID Connect -

HTTP Request Smuggling via higher HTTP versions

bashでWebブラウザ(Selenium WebDriver)を動かした話

2023 COSCUP - Whats new in PostgreSQL 16

RLSを用いたマルチテナント実装 for Django

WordPress Theme Development

Golangにおける端末制御リッチなターミナルUIの実現方法

Managing enterprise users in Hadoop ecosystem

Similar to Web Cache Deception Attack

腾讯大讲堂09 如何建设高性能网站

areyouok

腾讯大讲堂09 如何建设高性能网站

topgeek

Csdn Drdobbs Tenni Theurer Yahoo

guestb1b95b

High Performance Web Sites

Páris Neto

High Performance Websites By Souders Steve

w3guru

Plop

oakleaf

Oscon 20080724

linkedin_resptest2

These slides would share our experiences in reusing the legacy automation testing code (Selenium+xpath) in IE. To reuse our legacy code in IE, we explored three techinques, i.e., CSS selectors, jQuery selectors, Javascript-xpath library. These slides would discuss each technique and explain how we addressed the limitations of existing teachniques. The discussions would present how to rejuvenate the legacy code at code level and library level. Finally, the best practices would be summarized based on the practical experiences.

Migration strategies 4

Wenhua Wang

10up open sourced their WordPress Best Practices (PHP, JavaScript, tools, and workflows) in late 2014. As the Director of Web Engineering at 10up, I drove this project and am the lead contributor to the docs. These Best Practices allow developers to build sites that scale, perform, and are secure one sites receiving millions of page views per day. They also standardize development practices in such a way that facilitates team collaboration. This talk will highlight some important parts of the Best Practices and reveal some valuable tips about how we (10up) engineer some of the most complex and most viewed WordPress sites in the world.

Best Practices for WordPress in Enterprise

Taylor Lovett

Performance automation 101 @LDNWebPerf MickMcGuinness

Stephen Thair

Windycityrails page performance

John McCaffrey

Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.

(WEB301) Operational Web Log Analysis | AWS re:Invent 2014

Amazon Web Services

Best practices-wordpress-enterprise

Taylor Lovett

Speed = $$$

Peter Gfader

WordPress Coding Standards

Curtiss Grymala

10 Tips to make your Website lightning-fast - SMX Stockholm 2012

Bastian Grimm

JavaScript Performance Patterns

Stoyan Stefanov

Acegi Security is quickly becoming a widely respected security framework for Java applications. Not only does this security framework solve many of the deficiencies of J2EE's security mechanisms, but it's also easy to implement and configure. This tutorial will help you learn more about Acegi Security, as well as how to integrate it into your web applications. The Roller Weblogger project (currently in Apache's incubator) uses Acegi Security for many of its features: authentication, password encryption, remember me and SSL switching. After learning about Roller and Acegi, you will see how to deploy Roller onto Tomcat and Geronimo. Following that, you will learn how to hook Roller/Acegi into Apache Directory Server for authentication. Finally, you will learn how to integrate Roller with a Single Sign-on System (Yale's Central Authentication Service).

Apache Roller, Acegi Security and Single Sign-on

Matt Raible

Web 2.0 Expo: Even Faster Web Sites

Steve Souders

21 05-2018

Praaveen Vr

Similar to Web Cache Deception Attack (20)

腾讯大讲堂09 如何建设高性能网站

Csdn Drdobbs Tenni Theurer Yahoo

High Performance Web Sites

High Performance Websites By Souders Steve

Plop

Oscon 20080724

Migration strategies 4

Best Practices for WordPress in Enterprise

Performance automation 101 @LDNWebPerf MickMcGuinness

Windycityrails page performance

(WEB301) Operational Web Log Analysis | AWS re:Invent 2014

Best practices-wordpress-enterprise

Speed = $$$

WordPress Coding Standards

10 Tips to make your Website lightning-fast - SMX Stockholm 2012

JavaScript Performance Patterns

Apache Roller, Acegi Security and Single Sign-on

Web 2.0 Expo: Even Faster Web Sites

21 05-2018

Recently uploaded

JohnPollard-hybrid-app-RailsConf2024.pptx

JohnPollard37

WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...

WSO2

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

Key topics covered: - Understanding the basics of IAM and its significance in the modern enterprise. IAM in a platformless environment - Tackling real-world issues like prioritizing frictionless yet secure user access, securing high-value APIs, integrating to business, compliance, and adapting to cloud native environments with scalable solutions - Practical demonstrations of how WSO2 products can be instrumental in deploying efficient IAM solutions - Preparing for upcoming trends and innovations in identity management

Navigating Identity and Access Management in the Modern Enterprise

WSO2

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Whatsapp Number Escorts Call girls 8617370543 Available 24x7 Mcleodganj Call Girls Service Offer Genuine VIP Model Escorts Call Girls in Your Budget. Mcleodganj Call Girls Service Provide Real Call Girls Number. Make Your Sexual Pleasure Memorable with Our Mcleodganj Call Girls at Affordable Price. Top VIP Escorts Call Girls, High Profile Independent Escorts Call Girls, Housewife Women Escorts Call Girl, College Girls Escorts Call Girls, Russian Escorts Call girls Service in Your Budget.

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model

Deepika Singh

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

The presentation was made in “Web3 Fusion: Embracing AI and Beyond” is more than a conference; it's a journey into the heart of digital transformation. The conference a provided a platform where the future of technology meets practical application. This three-day hybrid event, set in the heart of innovation, served as a gateway to the latest trends and transformative discussions in AI, Blockchain, IoT, AR/VR, and their collective impact on the information space.

AI in Action: Real World Use Cases by Anitaraj

AnitaRaj43

DBX First Quarter 2024 Investor Presentation

Dropbox

At its core, the challenge of managing Human Resources data is an integration challenge: estimates range from 2-3 HR systems in use at a typical SMB, up to a few dozen systems implemented amongst enterprise HR departments, and these systems seldom integrate seamlessly between themselves. Providing a multi-tenant, cloud-native solution to integrate these hundreds of HR-related systems, normalize their disparate data models and then render that consolidated information for stakeholder decision making has been a substantial undertaking, but one significantly eased by leveraging Ballerina. In this session, we’ll cover: The overall software architecture for VHR’s Cloud Data Platform Critical decision points leading to adoption of Ballerina for the CDP Ballerina’s role in multiple evolutionary steps to the current architecture Roadmap for the CDP architecture and plans for Ballerina WSO2’s partnership in bringing continual success for the CD

Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform

WSO2

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Architecting Cloud Native Applications

WSO2

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Recently uploaded (20)