Uploaded byAlexandraLacatus
PPT, PDF2,795 views

Cache poisoning

This document discusses cache poisoning attacks. It begins with an overview and introduction to web cache poisoning and related attacks like HTTP response splitting. It then provides an example of how HTTP response splitting works and can be used to conduct a cache poisoning attack by injecting malicious content. The document outlines practical considerations for both attackers in conducting such an attack and victims in preventing them, such as input validation and restricting special characters. It concludes with a bibliography of additional resources on these topics.

Technology
Related topics:
Software Security

Embed presentation

Downloaded 50 times
Cache Poisoning alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
Overview Intro Web Cache poisoning Related Attacks About HTTP Response Splitting Attack scenario Practical considerations 2 Software Security, FCS Iasi, 2013-2014
About Web Cache poisoning Domain pioneered by Amit Klein, formerly Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged. 3 Software Security, FCS Iasi, 2013-2014
Related attacks & vulnerabilities Web Cache poisoning is based on HTTP Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information 4 Software Security, FCS Iasi, 2013-2014
HTTP Response Splitting Forcing an originator of HTTP messages to emit 2 (or more) valid (RFC-compliant) messages instead of one. The result of the application’s failure to reject illegal user input (malicious/unexpected CR&LF characters – may be found especially in Location and Set-Cookie headers) 5 Software Security, FCS Iasi, 2013-2014
Response Splitting Example [5]  JSP page (say http://www.the.site/welcome.jsp?lang=...) <% response.sendRedirect(“/by_lang.jsp?lang=“ + request.getParameter(“lang”)); %>  Normal request: http://www.the.site/welcome.jsp?lang=Romanian  Normal Response: HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Romanian Connection: Keep-Alive Content-Length: 0 6 Software Security, FCS Iasi, 2013-2014
Example – continued [5]  Attack request http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length: %200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>  Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo Will be interpreted as Response # 1 Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Will be interpreted as Response # 2 !!Injected by attacker!! Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive Content-Length: 0 … 7 Software Security, FCS Iasi, 2013-2014 Superfluous data, does not conform to the HTTP Standard
Cache Poisoning Attack Difficult to carry-out in real environment. (many conditions and pre-requisites) 1) Find a web resource vulnerable to HTTP Response Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server 8 Software Security, FCS Iasi, 2013-2014
Attacker - Practical Aspects [4] Maintain the poisoned resource Last-Modified header with a future time value Send the cache poisoning attack every x minutes? Execute all requests immediately one after another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.): Where the second message starts? 9 Software Security, FCS Iasi, 2013-2014
Victims – Practical Aspects [4] Web Application Developers VALIDATE INPUT!! Remove CRs and LFs before embedding data to HTTP response headers (Location and SetCookie especially) Web application engine vendors Disallow CR & LF characters in all HTTP response headers (requirement for RFC 2616) Proxy vendors Avoid sharing server TCP connection among different clients / virtual hosts 10 Software Security, FCS Iasi, 2013-2014
Bibliography 1) OWASP page for Web cache poisoning https://www.owasp.org/index.php/Cache_Poisoning 1) OWASP page for HTTP Response Splitting https://www.owasp.org/index.php/HTTP_Response_Splitting 1) 2) 3) 4) OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 China's Great Firewall spreads overseas http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_s preads_overseas 11 Software Security, FCS Iasi, 2013-2014

More Related Content

PPTX
Web Cache Poisoning
byKuldeepPandya5
 
PDF
Cross Site Scripting Going Beyond the Alert Box
byAaron Weaver
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
PDF
REST APIs with Spring
byJoshua Long
 
PPTX
File inclusion
byAaftabKhan14
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PDF
CSRF Basics
byn|u - The Open Security Community
 
Web Cache Poisoning
byKuldeepPandya5
 
Cross Site Scripting Going Beyond the Alert Box
byAaron Weaver
 
Waf bypassing Techniques
byAvinash Thapa
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
REST APIs with Spring
byJoshua Long
 
File inclusion
byAaftabKhan14
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
CSRF Basics
byn|u - The Open Security Community
 

What's hot

PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PPTX
Cross Site Scripting ( XSS)
byAmit Tyagi
 
DOCX
Symantec Messaging Gateway - Technical Proposal (General)
byIftikhar Ali Iqbal
 
PPT
Xmpp presentation
byjavaranger123
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
PDF
HTTP Security Headers
byIsmael Goncalves
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
PPTX
Server-side template injection- Slides
byAmit Dubey
 
PDF
OWASP Top 10 API Security Risks
byIndusfacePvtLtd
 
PPT
Security Testing
byKiran Kumar
 
PPTX
Syslog
bySangJung Woo
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PPTX
Format String Attack
byMayur Mallya
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPT
Web Application Security
byAbdul Wahid
 
PPTX
Http request smuggling
byn|u - The Open Security Community
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Cross Site Scripting ( XSS)
byAmit Tyagi
 
Symantec Messaging Gateway - Technical Proposal (General)
byIftikhar Ali Iqbal
 
Xmpp presentation
byjavaranger123
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
A Forgotten HTTP Invisibility Cloak
bySoroush Dalili
 
HTTP Security Headers
byIsmael Goncalves
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
Server-side template injection- Slides
byAmit Dubey
 
OWASP Top 10 API Security Risks
byIndusfacePvtLtd
 
Security Testing
byKiran Kumar
 
Syslog
bySangJung Woo
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
Format String Attack
byMayur Mallya
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Attacking thru HTTP Host header
bySergey Belov
 
Web Application Security
byAbdul Wahid
 
Http request smuggling
byn|u - The Open Security Community
 

Similar to Cache poisoning

PDF
Penetration testing web application web application (in) security
byNahidul Kibria
 
PPT
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
PPTX
Http response splitting
bySharath Unni
 
PPT
Web Hacking
byInformation Technology
 
PDF
Attques web
byTarek MOHAMED
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
Http requesting smuggling
byApijay Kumar
 
PDF
Watch How The Giants Fall: Learning from Bug Bounty Results
byjtmelton
 
PPTX
Cyber Security-Ethical Hacking
byViral Parmar
 
PDF
End to end web security
byGeorge Boobyer
 
PPTX
Web Application Security - Folio3
byFolio3 Software
 
PDF
Remote file path traversal attacks for fun and profit
byDharmalingam Ganesan
 
DOC
Days of the Honeynet: Attacks, Tools, Incidents
byAnton Chuvakin
 
PDF
Null HYD VRTDOS
byRaghunath G
 
PPTX
Vulnerabilities in data processing levels
bybeched
 
PPTX
Vulnerabilities on Various Data Processing Levels
byPositive Hack Days
 
PPTX
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
byRamece Cave
 
PPT
Css
bybismasheikh3
 
PDF
Cached and Confused: Web Cache Deception in the Wild
bySajjad "JJ" Arshad
 
PDF
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 
Penetration testing web application web application (in) security
byNahidul Kibria
 
Introduction to Web Server Security
byJITENDRA KUMAR PATEL
 
Http response splitting
bySharath Unni
 
Web Hacking
byInformation Technology
 
Attques web
byTarek MOHAMED
 
Http requesting smuggling
byApijay Kumar
 
Http requesting smuggling
byApijay Kumar
 
Watch How The Giants Fall: Learning from Bug Bounty Results
byjtmelton
 
Cyber Security-Ethical Hacking
byViral Parmar
 
End to end web security
byGeorge Boobyer
 
Web Application Security - Folio3
byFolio3 Software
 
Remote file path traversal attacks for fun and profit
byDharmalingam Ganesan
 
Days of the Honeynet: Attacks, Tools, Incidents
byAnton Chuvakin
 
Null HYD VRTDOS
byRaghunath G
 
Vulnerabilities in data processing levels
bybeched
 
Vulnerabilities on Various Data Processing Levels
byPositive Hack Days
 
The Enemy Within: Organizational Insight Through the Eyes of a Webserver
byRamece Cave
 
Css
bybismasheikh3
 
Cached and Confused: Web Cache Deception in the Wild
bySajjad "JJ" Arshad
 
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
byDefconRussia
 

Recently uploaded

PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PDF
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PDF
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
PDF
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PPTX
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
XonTel Plus IP-PBX Business Phone System
byXonTel Technology
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
SAP WalkMe Overview.pdf SAP WalkMe Overview.pdf
byMurniatiSimbolon2
 
Effective Ai powered mock interview .pdf
byamazingnishusingh766
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 

Cache poisoning

  • 1.
  • 2.
    Overview Intro Web Cachepoisoning Related Attacks About HTTP Response Splitting Attack scenario Practical considerations 2 Software Security, FCS Iasi, 2013-2014
  • 3.
    About Web Cachepoisoning Domain pioneered by Amit Klein, formerly Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged. 3 Software Security, FCS Iasi, 2013-2014
  • 4.
    Related attacks &vulnerabilities Web Cache poisoning is based on HTTP Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information 4 Software Security, FCS Iasi, 2013-2014
  • 5.
    HTTP Response Splitting Forcingan originator of HTTP messages to emit 2 (or more) valid (RFC-compliant) messages instead of one. The result of the application’s failure to reject illegal user input (malicious/unexpected CR&LF characters – may be found especially in Location and Set-Cookie headers) 5 Software Security, FCS Iasi, 2013-2014
  • 6.
    Response Splitting Example[5]  JSP page (say http://www.the.site/welcome.jsp?lang=...) <% response.sendRedirect(“/by_lang.jsp?lang=“ + request.getParameter(“lang”)); %>  Normal request: http://www.the.site/welcome.jsp?lang=Romanian  Normal Response: HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Romanian Connection: Keep-Alive Content-Length: 0 6 Software Security, FCS Iasi, 2013-2014
  • 7.
    Example – continued[5]  Attack request http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length: %200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>  Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo Will be interpreted as Response # 1 Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Will be interpreted as Response # 2 !!Injected by attacker!! Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive Content-Length: 0 … 7 Software Security, FCS Iasi, 2013-2014 Superfluous data, does not conform to the HTTP Standard
  • 8.
    Cache Poisoning Attack Difficultto carry-out in real environment. (many conditions and pre-requisites) 1) Find a web resource vulnerable to HTTP Response Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server 8 Software Security, FCS Iasi, 2013-2014
  • 9.
    Attacker - PracticalAspects [4] Maintain the poisoned resource Last-Modified header with a future time value Send the cache poisoning attack every x minutes? Execute all requests immediately one after another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.): Where the second message starts? 9 Software Security, FCS Iasi, 2013-2014
  • 10.
    Victims – PracticalAspects [4] Web Application Developers VALIDATE INPUT!! Remove CRs and LFs before embedding data to HTTP response headers (Location and SetCookie especially) Web application engine vendors Disallow CR & LF characters in all HTTP response headers (requirement for RFC 2616) Proxy vendors Avoid sharing server TCP connection among different clients / virtual hosts 10 Software Security, FCS Iasi, 2013-2014
  • 11.
    Bibliography 1) OWASP page forWeb cache poisoning https://www.owasp.org/index.php/Cache_Poisoning 1) OWASP page for HTTP Response Splitting https://www.owasp.org/index.php/HTTP_Response_Splitting 1) 2) 3) 4) OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 China's Great Firewall spreads overseas http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_s preads_overseas 11 Software Security, FCS Iasi, 2013-2014

Editor's Notes

  • #4 Cand a fost descoperit, de cine