SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
26.
Conditions
• Web cache functionality is set for the web application to cache static files
based on their extensions, disregarding any caching header.
• When accessing a page like
http://www.example.com/home.php/nonexistent.css, the web server will
return the content of home.php for that URL.
• Victim has to be authenticated while accessing the triggering URL.
27.
Why the HELL #1
would a web application react like this?
28.
Why the HELL #1
Django:
http://www.sampleapp.com/inbox/
29.
Why the HELL #1
Django:
http://www.sampleapp.com/inbox/test.css
urls.py
30.
Why the HELL #1
Django:
urls.py
http://www.sampleapp.com/inbox.css
31.
Why the HELL #1
Django:
http://www.sampleapp.com/inbox/test.css
urls.py
32.
Why the HELL #2
would a caching mechanism react like this?
37.
Why the HELL #2
Cloudflare:
• Disqualification phase
‘Edge cache expire TTL’ to the rescue!
38.
Why the HELL #2
Cloudflare:
https://blog.cloudflare.com/edge-cache-expire-ttl-easiest-way-to-override/
39.
Mitigation
• Only cache files if their HTTP caching headers allow
• Store all static files in a designated directory
• Cache files by their content type
• Don’t accept this! http://www.example.com/home.php/non-existent.css.
Return 302 or 404 instead
40.
THANKS
@omer_gil
Icon vectors created by Freepik.com
omergil.blogspot.com