Try   HackMD

Web Cache Poisoning

Lab: Web cache poisoning with an unkeyed header**

Let me explain a little bit about Web cache before going to the lab.

  1. How do the Web cache the (or HTTP cache) work ?
    When the user send a request first time. Server will send the response and cache the data needed for that's request. If the user send same request second time, server don't need to query to get the data from database and send the data in cache. In this way, your server system is more optimized.

Let catch the any request.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Sending the request first time. X-cache:miss (can't not find the data in cache)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Sending the request second time. X-cache:hit (find the data in cache)

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

(The HTTP X-Forwarded-Host header is used to identify the original request made by the client.)
In the request, X-Forwarded-Host include "shengngu.com".
In the response, "shengngu.com" is added with /resources/js/tracking.js
By this way, the attacker can control the response which user received.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Going to the exploit server.
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Creating the payload.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Add X-Forwarded-Host: attacker.website
Then send the request twice.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

The lab is solveddddddd.

https://viblo.asia/p/web-cache-poisoning-reborn-by-james-kettle-yMnKMMXEK7P
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-1-018J2M5a4YK
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-2-EvbLb5koJnk
Dùng extension Param Miner để detect unkeyed values
Varnish Cache
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-3-EoW4ombkLml
Cache parameter cloaking
Web cache -> XSS
https://viblo.asia/p/web-cache-poisoning-lo-hong-dau-doc-bo-nho-cache-phan-4-zOQJwAY0VMP
Web cache -> DOS
Bởi URL ban đầu đã đạt đến giới hạn ký tự, nên khi chuyển hướng tới /login/?x=very-long-string có thêm ký tự / đã vượt qua giới hạn, dẫn đến hệ thống không chấp nhận, trả về response lỗi
https://es-la.tenable.com/blog/identifying-web-cache-poisoning-and-web-cache-deception-how-tenable-web-app-scanning-can-help