Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Some web server configurations will serve content based upon a regex matched URL, not necessarily the entire URL that was entered. For example, https://example.com/content.php and https://example.com/content.php/type.css may still return the content.php page.

Additionally, caching is used on lots of files in order to speed up the process of returning files to users. In particular, static files, such as css, JavaScript and other things gets cached.

The combination of point 1 and 2 can cause an issue: what happens if the URL is accepted with a static file at the end and this is cached? Because the caching server relies on the the file ending and not the content type, this may be cached!

So, what does this actually mean? The attack scenario looks like this...

1. Convince an authenticated user to visit https://example.com/content.php/styles.css for some important site on a page that has sensitive information.
2. Request the page yourself. Now, because the page requested was a .css file, it is cached on the server with the personal content of the user.

When is this attack possible? Several conditions have to be met:

• Cache files based upon their extension for static extensions regardless of caching headers.
• Web page will return the content of content.php even with the other values in the URL.
• Page needs to be on an authenticated part of the website.

Overall, this is an amazing attack that abuses novel features within two aspects of a website that have no security issues otherwise.

As a final note, it appears that several people have started looking into issues of different technologies working together (this and HTTP Request Smuggling). So, if you are looking for a research topic, diving into something similar may be a good path!