About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

ChatGPT Account Takeover - Wildcard Web Cache Deception- 1346

HarelPosted 2 Years Ago
  • Last year, a web cache deception caching vulnerability was discovered in ChatGPT. The vulnerability was that anything ending in a particular file type was cached but it had a fuzzy path resolution. By combining these together it was possible to get a credential file cached for a particular user by clicking on a link. So, this was fixed, but how well?
  • The author was testing a new share feature that allowed users to share their chats with others. They noticed that the shared chat wouldn't update when the chat updated. So, a caching issue maybe? They saw a Cf-Cache-Status: HIT header in the URL, which made them think that something was off here. After playing around with the requests, they realized that anything under /share/ was being cached by Cloudflare.
  • Prior to going to the web server, the CDN Cloudflare was doing the processing and performing the caching based upon the provided rules. From messing around with it, they noticed that if a path was URL encoded it was NOT being processed by Cloudflare but WAS being processed by the server. This desync in processing allowed for some weirdness to happen. What if we could get Cloudflare to think that the response was for /share/ to cache it but this came from a different path in reality?
  • This is what the author came up with: 
    https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123
  • The %2F..%2F after the share will be processed by the backend server but NOT the CDN. So, the CDN thinks we're at /share but the backend thinks we're at a different path. By setting this to be the /auth/session path, this creates the same web cache deception vulnerability as before. The author has a really good image on describing how the flow of this attack works to steal the session information via forcing something to be cached that shouldn't be.
  • Overall, I absolutely love this bug! It's interesting to see how things are cached. I wonder if there's a tool to figure out where caches live that could be added to Burp Suite?

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed