Web Cache Deception Attack

WEB CACHE DECEPTION
ATTACK
Omer Gil

About me
• Omer Gil
• 28
• Married + Java
• PT team leader at EY
• Student
@omer_gil omergil.blogspot.com

About caching
Reverse Proxy
DMZ

About caching
Stylesheet.css
https://www.example.com/stylesheet.css

About caching
Stylesheet.css
Stylesheet.css

About caching
Stylesheet.css

About caching
Stylesheet.cssStylesheet.css

/nonexistent.css
Servers’ reactions
http://www.example.com/account.php
account.php
The Spanner: http://www.thespanner.co.uk/2014/03/21/rpo/
XSS Jigsaw: http://blog.innerht.ml/page/2/

Servers’ reactions
account.php
/nonexistent.csshttp://www.example.com/account.php

Getting down to business
“Hey, access
https://www.bank.com/account.do/stylesheet.css”
WAF!

The user browses to
https://www.bank.com/account.do/stylesheet.css

returns with the content of account.do
and the private page is cached

The attacker browses to
and gets the content of the user’s account.do page

Conditions
• Web cache functionality is set for the web application to cache static files
based on their extensions, disregarding any caching header.
• When accessing a page like
http://www.example.com/home.php/nonexistent.css, the web server will
return the content of home.php for that URL.
• Victim has to be authenticated while accessing the triggering URL.

Why the HELL #1
would a web application react like this?

Why the HELL #1
Django:
http://www.sampleapp.com/inbox/

Why the HELL #1
Django:
http://www.sampleapp.com/inbox/test.css
urls.py

Why the HELL #1
Django:
urls.py
http://www.sampleapp.com/inbox.css

Why the HELL #2
would a caching mechanism react like this?

Why the HELL #2
IIS ARR:
http://www.sampleapp.com/welcome.php/test.css

Why the HELL #2
Cloudflare:
• Eligibility phase
class, css, jar, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, docx, xls, xlsx, ps, pdf,
pls, ppt, pptx, tif, tiff, ttf, otf, webp, woff, woff2, svg, svgz, eot, eps, ejs, swf, torrent,
midi, mid
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
https://blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html

Why the HELL #2
Cloudflare:
• Disqualification phase
‘Edge cache expire TTL’ to the rescue!

Why the HELL #2
Cloudflare:
https://blog.cloudflare.com/edge-cache-expire-ttl-easiest-way-to-override/

Mitigation
• Only cache files if their HTTP caching headers allow
• Store all static files in a designated directory
• Cache files by their content type
• Don’t accept this! http://www.example.com/home.php/non-existent.css.
Return 302 or 404 instead

THANKS
@omer_gil
Icon vectors created by Freepik.com
omergil.blogspot.com

Web Cache Deception Attack

More Related Content

What's hot(20)

Similar to Web Cache Deception Attack(20)

Recently uploaded(20)

Web Cache Deception Attack