Web Cache Attacks

Hi there!,

If you have not read the first topic in this category, I will recommened to read that first as it will give you more idea about the Pattern.

Second Topic - Web Cache Attacks

As I started exploring these topics in detail, I mostly focused on the web Cache deception and web-cache-poisoning attacks.

Web Cache Deception Attacks

Resources

• https://www.youtube.com/watch?v=mroq9eHFOIU
  (Blackhat talk by Omer Gil)

• https://portswigger.net/daily-swig/path-confusion-web-cachedeception-threatens-user-information-online
  (PortSwigger Daily Swig Ref)

• https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/cache-deception.md
  (Hacktricks Ref)

• https://arxiv.org/pdf/1912.10190.pdf
  (Nice paper on WCD vulns in the wild)

• https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
  (How Cloudfare Cache work)

Tools

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/airachnid-web-cache-deception-burp-extender/
(Extender in Burpsuite for Web cache deception)

Variations on Different Path

example.com/account.php/nonexistent.css
example.com/account.php%0Anonexistent.css
example.com/account.php%3Bnonexistent.css
example.com/account.php%23nonexistent.css
example.com/account.php%3Fname = valnonexistent.css

Web Cache Attacks

Resources

• https://portswigger.net/web-security/web-cache-poisoning
  (PortSwigger Learning Material)

• https://www.youtube.com/watch?v=j2RrmNxJZ5c
  (Black Hat talk on Web Cache Poisoning by James Kettle)

• https://www.youtube.com/watch?v=bDxYWGxuVqE&t=1983s
  (Black Hat talk on Web Cache Entanglement by James Kettle)

Labs

• https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws
  (PortSwigger Labs)

• https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws
  (PortSwigger Labs)

• https://poison.digi.ninja
  (Nice Labs by Robin Wood based on the Paper Practical Web Cache Poisoning By James Kettle)

Tools

• https://github.com/PortSwigger/param-miner
  Extender in burpsuite for Web cache attacks(All the attacks are explained in the talk and whitepaper by James Kettle)

Headers for Web Caching

X-Forwarded-Host: example.com
X-Host: example.com
X-Forwarded-Scheme: ftp
X-Forwarded-Server: example.com
X-Original-Header: example.com
X-Original-Url: /path
X-Rewrite-Url: /path
X-Forwarded-Proto: ftp
X-HTTP-Host-Override: POST

Other Links That was useful in solving the labs

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching
  (Caching HTTP headers)
• https://github.com/cure53/DOMPurify
  (Portswigger Labs)
• https://www.youtube.com/watch?v=28xWcRegncw
  (Defcon Path Normalisation Talk by Orange Tsai)
• https://httpd.apache.org/docs/trunk/vhosts/ip-based.html
  (DigiNinja Labs)
• https://httpd.apache.org/docs/trunk/vhosts/name-based.html
  (DigiNinja Labs)

Feel free to drop any suggestions via my social handles.
Thanks for reading!!!.