Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Cache Poisoning
alexandra.lacatus@info.uaic.ro
FCS Iasi, Software Security
Overview

Intro Web Cache poisoning
Related Attacks
About HTTP Response Splitting
Attack scenario
Practical considera...
About Web Cache poisoning
Domain pioneered by Amit Klein, formerly Director of

Security and Research at Sanctum, Inc.
A...
Related attacks & vulnerabilities
Web Cache poisoning is based on HTTP Response

splitting. The attacker must find a web ...
HTTP Response Splitting

Forcing an originator of HTTP messages to emit 2 (or more)

valid (RFC-compliant) messages inste...
Response Splitting Example [5]
 JSP page (say http://www.the.site/welcome.jsp?lang=...)

<% response.sendRedirect(“/by_la...
Example – continued [5]
 Attack request

http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aCont...
Cache Poisoning Attack
Difficult to carry-out in real environment. (many conditions and

pre-requisites)
1) Find a web re...
Attacker - Practical Aspects [4]
Maintain the poisoned resource
Last-Modified header with a future time value
Send the ...
Victims – Practical Aspects [4]
Web Application Developers
VALIDATE INPUT!! Remove CRs and LFs before embedding

data to...
Bibliography
1)

OWASP page for Web cache poisoning

https://www.owasp.org/index.php/Cache_Poisoning

1)

OWASP page for H...
Nächste SlideShare
Wird geladen in …5
×

Cache poisoning

2.104 Aufrufe

Veröffentlicht am

Introduction presentation about web cache poisoning attacks

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Cache poisoning

  1. 1. Cache Poisoning alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security
  2. 2. Overview Intro Web Cache poisoning Related Attacks About HTTP Response Splitting Attack scenario Practical considerations 2 Software Security, FCS Iasi, 2013-2014
  3. 3. About Web Cache poisoning Domain pioneered by Amit Klein, formerly Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged. 3 Software Security, FCS Iasi, 2013-2014
  4. 4. Related attacks & vulnerabilities Web Cache poisoning is based on HTTP Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information 4 Software Security, FCS Iasi, 2013-2014
  5. 5. HTTP Response Splitting Forcing an originator of HTTP messages to emit 2 (or more) valid (RFC-compliant) messages instead of one. The result of the application’s failure to reject illegal user input (malicious/unexpected CR&LF characters – may be found especially in Location and Set-Cookie headers) 5 Software Security, FCS Iasi, 2013-2014
  6. 6. Response Splitting Example [5]  JSP page (say http://www.the.site/welcome.jsp?lang=...) <% response.sendRedirect(“/by_lang.jsp?lang=“ + request.getParameter(“lang”)); %>  Normal request: http://www.the.site/welcome.jsp?lang=Romanian  Normal Response: HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Romanian Connection: Keep-Alive Content-Length: 0 6 Software Security, FCS Iasi, 2013-2014
  7. 7. Example – continued [5]  Attack request http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length: %200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>  Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo Will be interpreted as Response # 1 Connection: Keep-Alive Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Will be interpreted as Response # 2 !!Injected by attacker!! Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive Content-Length: 0 … 7 Software Security, FCS Iasi, 2013-2014 Superfluous data, does not conform to the HTTP Standard
  8. 8. Cache Poisoning Attack Difficult to carry-out in real environment. (many conditions and pre-requisites) 1) Find a web resource vulnerable to HTTP Response Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server 8 Software Security, FCS Iasi, 2013-2014
  9. 9. Attacker - Practical Aspects [4] Maintain the poisoned resource Last-Modified header with a future time value Send the cache poisoning attack every x minutes? Execute all requests immediately one after another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.): Where the second message starts? 9 Software Security, FCS Iasi, 2013-2014
  10. 10. Victims – Practical Aspects [4] Web Application Developers VALIDATE INPUT!! Remove CRs and LFs before embedding data to HTTP response headers (Location and SetCookie especially) Web application engine vendors Disallow CR & LF characters in all HTTP response headers (requirement for RFC 2616) Proxy vendors Avoid sharing server TCP connection among different clients / virtual hosts 10 Software Security, FCS Iasi, 2013-2014
  11. 11. Bibliography 1) OWASP page for Web cache poisoning https://www.owasp.org/index.php/Cache_Poisoning 1) OWASP page for HTTP Response Splitting https://www.owasp.org/index.php/HTTP_Response_Splitting 1) 2) 3) 4) OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 China's Great Firewall spreads overseas http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_s preads_overseas 11 Software Security, FCS Iasi, 2013-2014

×