Behind the Scene : Web Cache Deception Attack
2021-06-30 13:29:08
Author: infosecwriteups.com(查看原文)
阅读量:117
收藏
Hey Cyberpunks, I hope you all are doing good and if not then I am here to make your life a bit easier where you can exploit this (not so easy)vulnerability😜 and earn bounties. As you already know the topic. So, without wasting any time let’s dive straight into it.
Note: I will keep the topic as simple as possible and try to explain it in layman’s language. So that you’ll be able to grasp the roots of the vulnerability, and find those bugs in your targets to make them more secure and earn bounties.
This is a type of attack that affects web frameworks and caching mechanisms. Simply understand this as an attack, where an attacker can expose the private information of a user or even leverage the attack to Account takeover.
We all know that Websites uses cache mechanism to reduce the web server latency so that, the user can access the content much faster and eliminating the load from server to fetch the details again and again.
Though there are several ways to Implement Caching. But here, we’ll take a look on two most common techniques used.
Files that are Commonly cached are static and public files:-
Style sheets (css)
Scripts (js)
Text Files (txt)
Images (bmp,gif,png etc.)
Caching on Browsers
Understand the concept by a simple flow:-
File Cached on the browser -> Browser will not request the server for particular file -> Latency reduced. This type is not relevant to the Deception attack.
Caching on Server
This is of our interest as it is relevant for this type of attack. This service can be carried out by :-
Load Balancer :- Though its role is to balance the traffic among two servers but it can also cache content to reduce latency of server.
Reverse proxy:- It takes out the content from web server on behalf of client and cache the content.
CDN(Content Delivery Network) :- Here there are basically several network of proxies whose role is to serve the content faster.
Okay so enough of theory. But it is important to understand the #BehindtheScene.
I will simplify it for you by breaking down it into simpler steps:-
After that you specified any Css/txt/image or js file. (As explained earlier that they are commonly cached file.)
Now I specify my image let’s say hackers.png as- www.ethicalkaps.com/profile.php/hackers.png . So here request arrives at the proxy which is not familiar with this file. The proxy will ask the Server to fetch this file.
When you load this URL. (Let’s analyze #BehindtheScene). The Browser sends GET request to that URL. Now, depending upon the server’s technology being used it may reflect 200 OK Response along with the content of www.ethicalkaps.com/profile.phpthat means URL will stay the same.
Now what happens our caching mechanism (In this case our proxy) will receive the file and identifies that URL ends with hackers.png. Now the cached content will be stored over there.
Now, if attacker access the page www.ethicalkaps.com/profile.php/hackers.png. The request will arrive at proxy server which directly returns the victim’s cached Profile page. i.e. he’ll receive the content of profile.php which may contain sensitive data.
Victim must be authenticated while accessing the Vulnerable URL.
Web cache functionality is set for the web application to cache files by their extensions.(such as .js, .txt, .css, etc..)
Note:- This attack is not limited to only this methodology. There are different web frameworks and caching mechanisms that allows an attacker to perform this deception attack.
So, this is it for this Article I hope you enjoyed it. I will come back to you with another #BehindtheScene. Till then, take care and Keep Hunting for good.Keep Digging and learning new stuffs.