SlideShare a Scribd company logo

Cached and Confused: Web Cache Deception in the Wild

Sajjad "JJ" Arshad
Sajjad "JJ" Arshad

USENIX Security Symposium, 2020

Technology
1 of 16
Download to read offline
Cached and Confused: Web Cache Deception in the Wild Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson USENIX Security 2020 University of Trento, Northeastern University, Akamai Technologies
Web Caches 2 ➔ Effective solution to decrease network latency and web application load ◆ Private cache for single user (e.g., web browsers) ◆ Shared cache for multiple users (e.g., web servers, MitM proxies) ◆ Key component of CDNs to provide web availability (a.k.a. Edge Servers) ◆ Study shows 74% of the Alexa Top 1K make use of CDNs ➔ Most common targets are static but frequently accessed resources ◆ HTML pages, scripts, style sheets, images, ... ➔ Web servers use Cache-Control headers to communicate with web caches ◆ “Cache-Control: no-store” indicates that the response should not be stored ◆ Even though web caches MUST respect these headers, they offer configuration options for their users to ignore header instructions ● Simple caching rules based on resource paths, file names and extensions (e.g., jpg, css, js)
Path Confusion 3 ➔ Traditionally, URLs referenced web resources by directly mapping them to web server’s file system structure: ◆ example.com/files/index.php?p1=v1 correspond to the file files/index.php at the web server’s document root directory ➔ Web servers introduced URL rewriting mechanisms to implement advanced application routing structures. ◆ Clean URLs (a.k.a. RESTful URLs) ● example.com/index.php/v1 => example.com/files/index.php?p1=v1 ➔ Browsers and proxies are not aware of this layer of abstraction between the resource file system path and its URL. ◆ They process the URLs in an unexpected manner a.k.a Path Confusion
Web Cache Deception (WCD) ➔ Introduced in 2017 by Omer Gil with PoC against PayPal ➔ WCD results different interpretations of a URL (path confusion) between a server and a web cache. 4
Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 5
Methodology ➔ Subdomain discovery to increase site coverage. ➔ Created account for 295 sites from Alexa Top 5K ➔ Appended “/<random>.css” to each URL from the victim account.. ➔ visited same page from the (un)authenticated attack crawler and compare responses. ➔ Responses analyzed for the disclosure of security tokens. 6
Crawling Stats & Alexa Ranking 7
Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 8
Vulnerabilities 9 ➔ 14 vulnerable sites leaked PII including names, usernames, email addresses, and phone numbers. ➔ 6 vulnerable sites leaked CSRF tokens ➔ 6 vulnerable sites leaked session identifiers or user-specific API tokens ➔ Our results show that WCD can fully exploit with unauthenticated attackers.
Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 10
Variations on Path Confusion 11
Path Confusion Results ➔ Results confirm our hypothesis that launching WCD attacks with variations on path confusion increased possibility of successful exploitation significantly. ➔ Some variations elicit more 200 OK server responses increasing the likelihood of the web server returning sensitive information. ➔ Each path confusion variation was able to attack a set of unique pages that were not vulnerable to other techniques. 12
Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 13
Empirical Experiments ➔ Cache Location ◆ Victim in Boston, MA, USA and Attacker in Trento, Italy. ◆ Attack failed for 19 sites but 6 sites were still exploitable. ➔ Cache Expiration ◆ Web caches typically store objects for a short amount of time. ◆ Attackers have a limited window of opportunity to launch a successful WCD attack. ◆ Repeated the attack with 1 hour, 6 hour, and 1 day delays for 19 sites. ◆ 16, 10, and 9 sites were exploitable in each case, respectively. ➔ Cache configuration ◆ We tested the basic content delivery solutions offered by major vendor to extract the default configuration. ◆ By default, many Major CDN vendors do not make RFC-compliant caching decision. 14
Lessons Learned & Conclusion ➔ Configuring web caches correctly is not a trivial task. ◆ Caching rules based on file extensions are prone to security problem. ◆ CDNs are not intended to be plug & play solutions. ➔ As WCD attacks impact all web cache technologies, there is a widespread lack of user awareness. ◆ There exists no technology to reliably determine if any part of system is vulnerable ➔ WCD is generally a “system safety” problem ◆ There are no isolated faulty components. ◆ Complex interactions among different technologies must take into consideration. ➔ Variations of path confusion techniques make it possible to exploit sites that are otherwise not impacted by the original attacks. 15
Thanks! Questions? Seyed Ali Mirheidari, seyedali.mirheidari@unitn.it Sajjad “JJ” Arshad, @sajjadium Kaan Onarlioglu, Akamai, www.onarlioglu.com 16

Recommended

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Weekguest9663eb
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developersMichael Haberman
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Sajjad "JJ" Arshad
 
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...Jan Löffler
 

Recommended

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Site Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security WeekSite Security Policy - Yahoo! Security Week
Site Security Policy - Yahoo! Security Weekguest9663eb
 
QA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QAQA: Базовое тестирование защищенности веб-приложений в рамках QA
QA: Базовое тестирование защищенности веб-приложений в рамках QACodeFest
 
Web content security policies
Web content security policiesWeb content security policies
Web content security policiesDhanu Gupta
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Javascript issues and tools in production for developers
Javascript issues and tools in production for developersJavascript issues and tools in production for developers
Javascript issues and tools in production for developersMichael Haberman
 
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Understanding and Mitigating the Security Risks of Content Inclusion in Web B...
Understanding and Mitigating the Security Risks of Content Inclusion in Web B...Sajjad "JJ" Arshad
 
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...
The WordPress Hosting experience - Bought cheaply and paid dearly? - Jan Löf...Jan Löffler
 
Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinZivaro Inc
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...raksac
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 
Navigating the Web Security Landscape
Navigating the Web Security LandscapeNavigating the Web Security Landscape
Navigating the Web Security LandscapeBanff Cyber Technologies
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricksmaxo_64
 
Geographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application PerformanceGeographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application Performancekkjjkevin03
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015FITC
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Plandas-CacheCloud
Plandas-CacheCloudPlandas-CacheCloud
Plandas-CacheCloudGyuman Cho
 
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...Sajjad "JJ" Arshad
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteSajjad "JJ" Arshad
 

More Related Content

Similar to Cached and Confused: Web Cache Deception in the Wild

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildSajjad "JJ" Arshad
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockownerkhan
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinZivaro Inc
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...raksac
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat Security Conference
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsVagner Santana
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricksmaxo_64
 
Geographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application PerformanceGeographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application Performancekkjjkevin03
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015FITC
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryTim Mackey
 
Plandas-CacheCloud
Plandas-CacheCloudPlandas-CacheCloud
Plandas-CacheCloudGyuman Cho
 

Similar to Cached and Confused: Web Cache Deception in the Wild (20)

Cached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the WildCached and Confused: Web Cache Deception in the Wild
Cached and Confused: Web Cache Deception in the Wild
 
Xfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknockXfocus xcon 2008_aks_oknock
Xfocus xcon 2008_aks_oknock
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
 
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
DevSecOps Meetup - Secure your Containers (kubernetes, docker, amazon ECS)Con...
 
BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard BlueHat v17 || Securing Windows Defender Application Guard
BlueHat v17 || Securing Windows Defender Application Guard
 
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure WidgetsWWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
WWW/Internet 2011 - A Framework for Web 2.0 Secure Widgets
 
Navigating the Web Security Landscape
Navigating the Web Security LandscapeNavigating the Web Security Landscape
Navigating the Web Security Landscape
 
Web development tips and tricks
Web development tips and tricksWeb development tips and tricks
Web development tips and tricks
 
Geographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application PerformanceGeographic Distribution for Global Web Application Performance
Geographic Distribution for Global Web Application Performance
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
MongoDB World 2019: New Encryption Capabilities in MongoDB 4.2: A Deep Dive i...
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Plandas-CacheCloud
Plandas-CacheCloudPlandas-CacheCloud
Plandas-CacheCloud
 

More from Sajjad "JJ" Arshad

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...Sajjad "JJ" Arshad
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteSajjad "JJ" Arshad
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareSajjad "JJ" Arshad
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsSajjad "JJ" Arshad
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegritySajjad "JJ" Arshad
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceSajjad "JJ" Arshad
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Sajjad "JJ" Arshad
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardSajjad "JJ" Arshad
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsSajjad "JJ" Arshad
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation NetworksSajjad "JJ" Arshad
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsSajjad "JJ" Arshad
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegritySajjad "JJ" Arshad
 

More from Sajjad "JJ" Arshad (13)

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Gu...
 
Large-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path OverwriteLarge-Scale Analysis of Style Injection by Relative Path Overwrite
Large-Scale Analysis of Style Injection by Relative Path Overwrite
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
 
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted AdsTracing Information Flows Between Ad Exchanges Using Retargeted Ads
Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
 
How Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSocketsHow Tracking Companies Circumvent Ad Blockers Using WebSockets
How Tracking Companies Circumvent Ad Blockers Using WebSockets
 
Practical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow IntegrityPractical Challenges of Type Checking in Control Flow Integrity
Practical Challenges of Type Checking in Control Flow Integrity
 
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content ProvenanceIdentifying Extension-based Ad Injection via Fine-grained Web Content Provenance
Identifying Extension-based Ad Injection via Fine-grained Web Content Provenance
 
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Librari...
 
A Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt StandardA Longitudinal Analysis of the ads.txt Standard
A Longitudinal Analysis of the ads.txt Standard
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSocketsHow Tracking Companies Circumvented Ad Blockers Using WebSockets
How Tracking Companies Circumvented Ad Blockers Using WebSockets
 
"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks"Recommended For You": A First Look at Content Recommendation Networks
"Recommended For You": A First Look at Content Recommendation Networks
 
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content InclusionsInclude Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions
 
On the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow IntegrityOn the Effectiveness of Type-based Control Flow Integrity
On the Effectiveness of Type-based Control Flow Integrity
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Cached and Confused: Web Cache Deception in the Wild

  • 1. Cached and Confused: Web Cache Deception in the Wild Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson USENIX Security 2020 University of Trento, Northeastern University, Akamai Technologies
  • 2. Web Caches 2 ➔ Effective solution to decrease network latency and web application load ◆ Private cache for single user (e.g., web browsers) ◆ Shared cache for multiple users (e.g., web servers, MitM proxies) ◆ Key component of CDNs to provide web availability (a.k.a. Edge Servers) ◆ Study shows 74% of the Alexa Top 1K make use of CDNs ➔ Most common targets are static but frequently accessed resources ◆ HTML pages, scripts, style sheets, images, ... ➔ Web servers use Cache-Control headers to communicate with web caches ◆ “Cache-Control: no-store” indicates that the response should not be stored ◆ Even though web caches MUST respect these headers, they offer configuration options for their users to ignore header instructions ● Simple caching rules based on resource paths, file names and extensions (e.g., jpg, css, js)
  • 3. Path Confusion 3 ➔ Traditionally, URLs referenced web resources by directly mapping them to web server’s file system structure: ◆ example.com/files/index.php?p1=v1 correspond to the file files/index.php at the web server’s document root directory ➔ Web servers introduced URL rewriting mechanisms to implement advanced application routing structures. ◆ Clean URLs (a.k.a. RESTful URLs) ● example.com/index.php/v1 => example.com/files/index.php?p1=v1 ➔ Browsers and proxies are not aware of this layer of abstraction between the resource file system path and its URL. ◆ They process the URLs in an unexpected manner a.k.a Path Confusion
  • 4. Web Cache Deception (WCD) ➔ Introduced in 2017 by Omer Gil with PoC against PayPal ➔ WCD results different interpretations of a URL (path confusion) between a server and a web cache. 4
  • 5. Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 5
  • 6. Methodology ➔ Subdomain discovery to increase site coverage. ➔ Created account for 295 sites from Alexa Top 5K ➔ Appended “/<random>.css” to each URL from the victim account.. ➔ visited same page from the (un)authenticated attack crawler and compare responses. ➔ Responses analyzed for the disclosure of security tokens. 6
  • 7. Crawling Stats & Alexa Ranking 7
  • 8. Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 8
  • 9. Vulnerabilities 9 ➔ 14 vulnerable sites leaked PII including names, usernames, email addresses, and phone numbers. ➔ 6 vulnerable sites leaked CSRF tokens ➔ 6 vulnerable sites leaked session identifiers or user-specific API tokens ➔ Our results show that WCD can fully exploit with unauthenticated attackers.
  • 10. Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 10
  • 11. Variations on Path Confusion 11
  • 12. Path Confusion Results ➔ Results confirm our hypothesis that launching WCD attacks with variations on path confusion increased possibility of successful exploitation significantly. ➔ Some variations elicit more 200 OK server responses increasing the likelihood of the web server returning sensitive information. ➔ Each path confusion variation was able to attack a set of unique pages that were not vulnerable to other techniques. 12
  • 13. Research Questions ➔ What is the prevalence of WCD vulnerabilities on popular, highly-trafficked domains? ➔ Do WCD vulnerabilities expose PII and, if so, what kinds? ➔ Can WCD vulnerabilities be used to defeat defenses against web application attacks? ➔ Can WCD vulnerabilities be fully exploited by unauthenticated users? ➔ Can variation of Path Confusion techniques expand the number of vulnerable/exploitable sites? ➔ Is attacker geographical location important? ➔ Are default configurations of major CDN providers vulnerable? 13
  • 14. Empirical Experiments ➔ Cache Location ◆ Victim in Boston, MA, USA and Attacker in Trento, Italy. ◆ Attack failed for 19 sites but 6 sites were still exploitable. ➔ Cache Expiration ◆ Web caches typically store objects for a short amount of time. ◆ Attackers have a limited window of opportunity to launch a successful WCD attack. ◆ Repeated the attack with 1 hour, 6 hour, and 1 day delays for 19 sites. ◆ 16, 10, and 9 sites were exploitable in each case, respectively. ➔ Cache configuration ◆ We tested the basic content delivery solutions offered by major vendor to extract the default configuration. ◆ By default, many Major CDN vendors do not make RFC-compliant caching decision. 14
  • 15. Lessons Learned & Conclusion ➔ Configuring web caches correctly is not a trivial task. ◆ Caching rules based on file extensions are prone to security problem. ◆ CDNs are not intended to be plug & play solutions. ➔ As WCD attacks impact all web cache technologies, there is a widespread lack of user awareness. ◆ There exists no technology to reliably determine if any part of system is vulnerable ➔ WCD is generally a “system safety” problem ◆ There are no isolated faulty components. ◆ Complex interactions among different technologies must take into consideration. ➔ Variations of path confusion techniques make it possible to exploit sites that are otherwise not impacted by the original attacks. 15
  • 16. Thanks! Questions? Seyed Ali Mirheidari, seyedali.mirheidari@unitn.it Sajjad “JJ” Arshad, @sajjadium Kaan Onarlioglu, Akamai, www.onarlioglu.com 16