About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Web Cache Poisoning - 255

James Kettle - PortswiggerPosted 5 Years Ago
  • Web caches sit between the user and the application server, where they save and serve copies of certain responses. This is used in order to make load times faster for users.
  • Caching the right material is complex to do properly because you cannot simply cache byte for byte. This is caused by the fact that little items, such as the User Agent, do no matter for caching but change the request. This is why particular cache keys are put in place in order to know WHAT to cache if something changes.
  • The basis of this attack is to find a value that is unkeyed; therefore, this will be cached and sent to other users. This is known as a cache poisoning attack. Luckily, for finding these unkeyed inputs, a Burp Suite tool was made called Param Miner.
  • Now, this sounds great, from an attackers perspective, but how can this actually be leveraged? Luckily for us, Portswigger only posts articles with real world implications!
  • Most of examples used the X-Forwarded-Host as an injection point. In particular, setting this header could be used for cache poisoned XSS, DoS, or redirects. The first example essentially created an XSS by injecting data into the metadata tag. In another situation, the X-Forwarded-Host header was being set into loaded JSON (that was put into the page), eventually allowing for a DOM based XSS.
  • An additional example, of the X-Forwarded-Host protocol, was the ability to do an arbitrary redirect on Facebook links via OpenGraph. By setting the X-Forwarded-Host header (on the cache) it was possible to poison links to go back to an arbitrary address.
  • After abusing the one header, he wanted to see what other headers were used to change the way an application behaves that were not keyed. So, he downloaded all headers from the top 20,000 PHP websites on Github to get a list. From this, the author obtained many non-standard headers that caused strange effects.
  • First, he found the X-Original-URL and X-Rewrite-URL, which allowed for MANY PHP sites to change the location of the page being outputted! On Unity, this allowed for cache poisoning to send users to arbitrary pages.
  • On Pinterest (Drupal bug), an unkeyed parameter (in the URL) was changing the location for which a user was sent to in the X-Rewrite-URL header. Then, with an arbitrary redirect vulnerability in Drupal, it was possible to poison all redirects! By poisoning all redirects, this allowed for the compromising of a JS file, that was loaded via redirect!
  • As a heads up (in a follow up article), the X-Forwared-Host was actually made useless when attempting to perform this attack on Cloudflare.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed