Unveiling Web Cache Poisoning and Deception

Slide 1

Slide 1 text

z Web Cache Attacks Saurabh Tiwari

Slide 2

Slide 2 text

z What is Web Cache? The purpose of the cache is to reduce the response time of the web server.

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

z What Are Cache Keys?  Whenever a cache receives a request for a resource, it has to check if it has the same copy to reply with or whether it has to forward to respective servers.  As this is quite tricky, few components of the HTTP request are used as an identity to do so, called the cache-keys.  If the cache key of an incoming request matches the key of a previous request, then the cache considers them to be equivalent.

Slide 7

Slide 7 text

z What Are Unkeyed Headers?

Slide 8

Slide 8 text

Impact of Web Cache Poisoning : DOS, XSS & More!

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Countermeasures against Web Cache Poisoning Implementing effective countermeasures is crucial in defending your website against web cache poisoning attacks. • Cache key normalization: Normalizing cache keys can help prevent variations due to input formatting or case sensitivity. • Validate user input: Implementing strict input validation and sanitization techniques can prevent injection attacks that can lead to cache poisoning. These techniques include input filtering, parameter safelisting, and regular expression checks. • Cache-control headers: Cache-control headers help enforce caching behavior and mitigate risks. For example, using headers like “no-store” and “no-cache” can prevent the caching of sensitive data. • Use web application firewalls (WAF): Deploying a robust WAF can help detect and block cache poisoning attempts. WAFs analyze incoming requests and identify suspicious patterns that indicate cache poisoning. We can configure the WAF to alert or block these requests to provide an additional layer of defense against such attacks.

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

Conditions: 1. Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header. 2. When accessing a page like http://www.example.com/home.php/non-existent.css, the web server will return the content of "home.php" for that URL.

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

REFERENCES: 1. Web cache deception attack – original blog http://omergil.blogspot.co.il/2017/02/web-cache-deception-attack.html 2. Web cache deception attack in PayPal home page https://www.youtube.com/watch?v=pLte7SomUB8 3. Understanding our cache and the web cache deception attack – Cloudflare blog https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/ 4. On web cache deception attacks – Akamai blog https://blogs.akamai.com/2017/03/on-web-cache-deception-attacks.html

Slide 23

Slide 23 text

z About Me  Saurabh Tiwari  22  IT Security Analyst @ MobiTrail Org.  Pentester @ One of he World’s Largest E-Payment Services  Student  One of the Moderators of BreachForce Community

Slide 24

Slide 24 text

THANKS | linkedin.com/in/saurabh-tiwari-5315801b5 @Zodiac_Minati