Monday, February 27, 2017

Web Cache Deception Attack

Did it ever cross your mind that accessing links such as https://www.paypal.com/myaccount/home/stylesheet.css or https://www.paypal.com/myaccount/settings/notifications/logo.png might expose your sensitive data, and even allow attackers to take control over your account?
Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.

A few words about caching and reactions

1. Websites often tend to use web cache functionality (for example over a CDN, a load balancer, or simply a reverse proxy). The purpose is simple: store files that are often retrieved, to reduce latency from the web server.
Let's see an example of web cache. Website http://www.example.com is configured to go through a reverse proxy. A dynamic page that is stored on the server and returns personal content of users, such as http://www.example.com/home.php, will have to create it dynamically per user, since the data is different for each user. This kind of data, or at least its personalized parts, isn't cached.
What's more reasonable and common to cache are static, public files: style sheets (css), scripts (js), text files (txt), images (png, bmp, gif), etc. This makes sense because these files usually don't contain any sensitive information. In addition, as can be found in various best practices articles about web cache configuration, it's recommended to cache all static files that are meant to be public, and disregard their HTTP caching headers.

2. The web cache deception attack counts on similar browsers' and web servers' reactions, in the same way as the RPO attack, explained in http://www.thespanner.co.uk/2014/03/21/rpo/ and http://blog.innerht.ml/rpo-gadgets/:
What happens when accessing a URL like http://www.example.com/home.php/non-existent.css?
A GET request to that URL will be produced by the browser. The interesting thing is the server's reaction – how does it interpret the request URL? Depending on its technology and configuration (the URL structure might need to be built slightly different for different servers), the server returns the content of http://www.example.com/home.php. And yes, the URL remains http://www.example.com/home.php/non-existent.css. The HTTP headers will be the same as for accessing http://www.example.com/home.php directly: same caching headers and same content type (text/html, in this case).

Done with the introduction

What happens if we access http://www.example.com/home.php/non-existent.css, while web cache for static files is set on the proxy server, disregarding caching headers for this kind of file? Let's analyze this process:
  1. Browser requests http://www.example.com/home.php/non-existent.css.
  2. Server returns the content of http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page.
  3. The response goes through the proxy.
  4. The proxy identifies that the file has a css extension.
  5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.


Oh.


Taking advantage of it

An attacker who lures a logged-on user to access http://www.example.com/home.php/logo.png will cause this page – containing the user's personal content – to be cached and thus publicly-accessible. It could get even worse, if the body of the response contains (for some reason) the session identifier, security answers or CSRF tokens. All the attacker has to do now is to access this page on his own and expose this data.


An anecdote

Usually websites don't require authentication to access their public static files. Therefore, the cached files are publicly-accessible – no authentication required.

Conditions

So basically, two conditions are required for this vulnerability to exist:
  1. Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header.
  2. When accessing a page like http://www.example.com/home.php/non-existent.css, the web server will return the content of "home.php" for that URL.

Mitigation

  1. Configure the cache mechanism to cache files only if their HTTP caching headers allow. That will solve the root cause of this issue.
  2. If the cache component provides the option, configure it to cache files by their content type.
  3. Configure the web server so that for pages such as http://www.example.com/home.php/non-existent.css, the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response.

Web Cache Deception in PayPal – PII Exposure

PayPal was vulnerable to web cache deception. The vulnerability is now fixed and was publicly disclosed.

Information that could be leaked by exploiting this vulnerability:
- Users' first & last names
- Account balance
- Last four credit card digits
- Transactions data
- Full passport number
- Email address
- Home address
- Phone number
- Any additional information included in vulnerable pages

Examples for some of the vulnerable pages:

Various static file extensions could be used to cache pages on PayPal (more than 40). Among them:
aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd, zip

Caching expiration
I've measured the time taken for the cached files to expire. It seems that after being accessed once (for the first time), a file is cached for ~5 hours. If it's accessed again during that time, the expiration time is extended. It's clear that this time period is more than enough for an attacker to "catch" the cached file on time before it expires, and by constantly monitoring this URL he can expose it as it's created.

Videos

Home page:


Settings page:


PayPal rewarded me with $3,000 for reporting this vulnerability.

User Hijacking via Web Cache Deception

I found this vulnerability in additional applications, which unfortunately cannot be disclosed to the public for different reasons (bummer, had some nice videos for that). In these applications, it was possible to take complete control over application users. This was possible because the session ID or security answers to recover a user's password were included in the HTML code of vulnerable pages. Big thanks to Sagi Cohen for the assistance.

IIS Demo

In the video below, a website is hosted on two web servers behind an IIS load balancer with Application Request Routing (ARR) installed.
A successful login redirects the users to the 'welcome.php' page, which contains their personal content. The load balancer is configured to cache all CSS files, and to disregard their caching headers.
An authenticated user accesses http://www.sampleapp.com/welcome.php/stylesheet.css. The IIS load balancer refers to the 'welcome.php' page as a directory, creates it in the cache directory, and caches 'stylsheet.css', which contains the user's private content.

34 comments:

  1. In the PayPal scenario, how did the proxy server even see the resources? Was it configured to do HTTPS interception and the client was configured to trust a dummy root certificate?

    ReplyDelete
  2. I guess the connection between the Client and the Proxy-Server is either HTTP or HTTPS. However, in order to cache the content, the connection between the Proxy-Server and the Web-Server must be HTTP. I was curious about this as well and it looks like you can build this kind of architecture with Pound (SSL-Wrapper and Reverse Proxy) which forwards decrypted HTTPS requests to a caching server (e.g. Varnish). Please correct me if explained anything wrong.

    ReplyDelete
  3. Nice vulnerability and well explained.

    ReplyDelete
  4. That's a great finding. Thank you for writing this blog post.

    ReplyDelete
  5. Great explanation, thanks for sharing

    ReplyDelete
  6. Great post. can I translate it on my blog?

    ReplyDelete
  7. Awesome attack. A Burp Extender is now available to make it easier to perform this attack: https://www.trustwave.com/Resources/SpiderLabs-Blog/Airachnid--Web-Cache-Deception-Burp-Extender/

    ReplyDelete
  8. I am trying to create a PoC on Web Cache Deception attack using apache as origin server and nginx as reverse proxy.
    As I see, by default nginx obeys cache-control headers sent from origin server.
    Therefore, inorder to create the PoC I have to make specific configurations to ignore the origin server's headers.

    I don't understand why would any one force the caching of static file extensions?
    In nginx, if you just set a rule to cache static files (like .jpg) and then hit the attack URL say http://www.xyz.com/personal.php/attack.jpg, even if the origin server sends the personal.php content, it also sends the related cache-control headers as you yourself have said.
    I have verified that these headers will be obeyed by nginx by default.
    Then that means for the Web Cache deception attack to be successful, the one doing the configuration has to have real low grade knowledge or may be he intentionally wants to let sensitive pages get cached.

    I understand the possibility of this attack in Akamai due to its Edge-Control header. But why the hell would any one set cache-control: no-cache, no-store headers for the static content like .jpg in the origin server and then try to overwrite it using the Edge-Control in reverse-proxy? Isn't it extra work?

    ReplyDelete
  9. Thank You for you post.TheShardBike is a bike shop in Dubai and Abu Dhabi. We sell bikes, bike accessories and components. We also offer bike repair and service. best electric bike

    ReplyDelete
  10. Welcome to the best and most famous KARACHI ESCORTS agency in Angels of Karachi. We are reviewed as the leading Escorts in Karachi because we have a huge and very large network all over Karachi and our Escort service is very reliable and fast than others.

    ReplyDelete
  11. Thanks for the great article and post. Need a servo voltage stabilizer manufacturers in india? Don’t go beyond servo star “A popular Isolation transformers which offers an extensive range of exceptional servo stabilizer. Feel Free to contact.

    ReplyDelete
  12. Thanks for the great article and post. Need a Industrial UPS? Don’t go beyond nexusups. “A popular Industrial UPS which offers an extensive range of exceptional Industrial UPS, and Online Online UPS Free to contact.

    ReplyDelete
  13. Anda Pencinta Games online ..?
    Kunjungi situs kami pakarbet

    1 Akun Bisa Bermain Sportsbook, Live Casino, Slot Online, poker Online, Ada Juga Live Roulette dan Sicbo Terbaik
    Menang berapa saja di bayar...
    Whatsapp : +85585824263

    Live Chat Pakarbet
    Panduan cara bermain judi online

    ReplyDelete
  14. Wow!!! It was a great blog with so much information . If anyone out there is looking for indian dresses |
    lehenga choli
    then visit Panache Haute Couture, a leading Indian Designer House for Indian Dresses.

    ReplyDelete


  15. How it works?
    Rapid Fast Keto Boost works in some of Rapid Fast Keto Boost patterns and has a natural paintings manner as it's miles formulated with herbs and plant compounds. It elevates the active glide of ketones into the frame that promotes the body’s fast metabolic fee. Ketones regulate the lively stimulation of ketosis for the body, which limits the conversion of carbohydrates into a fatty compound of the frame. This helps the body burn and melt undesirable fat and tackle a narrow shape. A person additionally feels an improvement in his strength and electricity degree that keeps him active and energetic to improve his performance. Thus, it effects in a lean muscles shape .
    Read More >>> https://www.completefoods.co/diy/recipes/where-to-buy-rapid-fast-keto-boost

    ReplyDelete

  16. People begin choosing Freshly Bloom Keto the giant surgical procedures for the weight loss cause they move on the operations, or this manner is more dangerous or hard to undertake.

    With Freshly Bloom Keto, you do not want to get any surgical treatment to conquer the excessive-fats areas take this supplement frequently for the 60 days or effects may be in the the front of you human beings.
    Read News >> https://www.completefoods.co/diy/recipes/what-is-keto-greenlyfe

    ReplyDelete
  17. Keto Twenty One is a remarkable weight loss components this is made with some herbal or greater additives to lose weight. This FDA authorized complement is straightforward to digest or inhale.

    People start deciding on the massive surgical processes for the weight loss cause they circulate on the operations, or this manner is more dangerous or tough to undertake.

    Read More >>> https://www.completefoods.co/diy/recipes/what-is-keto-twenty-one

    ReplyDelete
  18. Almost 50 percent of those people who utilize
    the net the Entire path Across the globe are
    losses of this electronic wrongdoing. Each time
    you start a couple of relations or you've misused
    the connections once you start the email, download
    any program, or possibly connecting a stage consistently
    is an opening for engineers to take your own data.
    visit:

    www.webroot.com/safe

    ReplyDelete
  19. Idnplay
    IDN Poker88 | Situs Poker Deposit Pulsa | Agen Poker Terpercaya
    Agen Resmi Poker Idnplay Terpercaya dan resmi Lesensi ayok join sekarang juga untuk mendapatkan promo2 terbaik dari situs agen poker online sekarang juga !!

    ReplyDelete
  20. Webroot is one among the staggering brands
    inside the market that courses of action inside
    the security division. the entirety of the consequences
    of webroot are given all together that they help the
    customer in getting their structure checked from the
    entirety of the dangers that are open on the online .
    There are risks like Trojans, diverse disease malware,
    at that point forward.
    visit:
    www.webroot.com/safe

    ReplyDelete
  21. That was such an awesome topic to read and going through it.
    Thanks for such a good information.
    Our product related for Servo Voltage Stabilizer and Power Transformers Manufacturer in Hyderabad, india. Our company is also Servo Stabilizers Manufacturers in Hyderabad, bangalore, India.

    ReplyDelete
  22. Thanks for the great article and post. Need a MNC Job Training in Hyderabad? Don’t go beyond SV Professionals “A popular HR Job Training in Hyderabad which offers an extensive range of exceptional Domestic Job Training.
    Feel Free to contact.

    ReplyDelete
  23. Thanks for the great article and post. Need a Digital Marketing Services in Hyderabad, India? Don’t go beyond iRankdigi IT Solutions “A popular Best Digital Marketing Company in Hyderabad which offers an extensive range of exceptional SEO services in Hyderabad.
    Feel Free to contact.

    ReplyDelete
  24. Enter 25 characters Norton product key after signing in on Norton.com/setup website. You will get your product key from registered email id when you purchased your Norton product. Download and install Norton product on your device and get protected from all kind of online threats.
    Norton.com/setup

    ReplyDelete
  25. Selamat Datang Di Situs AGEN BANDARQ

    Rasakan sensasi serunya bermain di Situs AGEN BANDARQ
    Yang Merupakan Agen Bandarq, Domino 99, Dan Bandar Poker Online Terpercaya di asia hadir untuk anda semua dengan permainan permainan menarik dan bonus menarik untuk anda semua.

    Rasakan Sensasi serunya bermain di CrownQQ, Agen BandarQ Yang 100% Gampang Menang
    Games Yang di Hadirkan CrownQQ :

    => Poker
    => Bandar Poker
    => Domino99
    => BandarQ
    => AduQ
    => Sakong
    => Capsa Susum
    => Bandar66 (ADU BALAK)
    => Perang Baccarat (New Game)

    Promo Yang Berlaku Saat ini:

    => Bonus Refferal 20% ( OTOMATIS )
    => Bonus Turn Over 0,5% (SETIAP SENIN )
    => Minimal Depo Rp. 20.000,-
    => Minimal WD Rp. 20.000,-

    Pelayanan dan Sistem Di Situs CROWNQQ :

    => 100% Member Asli Pemain vs Pemain ( NO ROBOT & ADMIN )
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android & IOS
    => Dilayani Dengan 5 Bank Terbaik

    << Contact_Us >>
    WHATSAPP : +855882357563
    LINE : CS CROWNQQ
    TELEGRAM : +855882357563

    BACA JUGA BLOGSPORT KAMI:
    BLOG ARTIKEL
    CROWNWIN
    CERITA DEWASA

    AKSES LINK TERBARU DI :
    - RATUAJAIB.COM
    - RATUAJAIB.NET
    - RATUAJAIB.INFO

    CROWNQQ | Agen BandarQ | BandarQ Online | AduQ Online | DominoQQ Terbaik

    ReplyDelete
  26. Enter the cave of stunning wellness. Lions den is one of its sort martials expressions and wellness focus in south Delhi. It brags of profoundly particular preparing consolidating combative techniques with routine exercise by none other than our amazing mentor Vijay Saini - A lion .

    fitness club

    fitness club around me

    fitness club near me

    fitness club in delhi

    best fitness club in delhi



    fight club

    fight club around me

    fight club near me


    best fight club in delhi



    mma

    mma around me

    mma near me

    mma in delhi

    best mma in delhi



    ReplyDelete
  27. Noxious programming, or malware, may release devastation on your
    little business undertaking. Several pollutions can get fragile data
    in un-checked workstations, at any rate various issue, for instance, rodents,
    may square structure or PC advancement to a grump. Norton taking steps to spoiling.
    visit:
    Norton.com/setup

    ReplyDelete
  28. Enter the cave of stunning wellness. Lions den is one of its sort martials expressions and wellness focus in south Delhi. It brags of profoundly particular preparing consolidating combative techniques with routine exercise by none other than our amazing mentor Vijay Saini - A lion .

    fitness club

    fitness club around me

    fitness club near me

    fitness club in delhi

    best fitness club in delhi



    fight club

    fight club around me

    fight club near me


    best fight club in delhi



    mma

    mma around me

    mma near me

    mma in delhi

    best mma in delhi



    ReplyDelete
  29. CROWNQQ I AGEN BANDARQ I BANDARQ ONLINE I ADUQ ONLINE I DOMINOQQ TERBAIK

    Yuk Buruan ikutan bermain di website Agen BandarQ

    Sekarang CROWNQQ Memiliki Game terbaru Dan Ternama loh...

    9 permainan :
    => Poker
    => Bandar Poker
    => Domino99
    => BandarQ
    => AduQ
    => Sakong
    => Capsa Susun
    => Bandar 66
    => Perang Baccarat (NEW GAME)

    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 20.000
    => Minimal WD 20.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android
    => Di Layani Dengan 5 Bank Terbaik
    => 1 User ID 9 Permainan Menarik

    Ayo gabung sekarang juga hanya dengan
    mengklick daftar crownqq

    Link Resmi CrownQQ:
    RATUAJAIB.COM
    RATUAJAIB.NET
    RATUAJAIB.INFO

    BACA JUGA BLOGSPORT KAMI:
    BLOG ARTIKEL
    CROWNWIN
    CERITA DEWASA

    Info Lebih lanjut Kunjungi :
    WHATSAPP : +855882357563
    LINE : CS CROWNQQ
    TELEGRAM : +855882357563

    ReplyDelete
  30. https://officecomus.us/
    Office.com/Setup
    Download office setup from here. here you will get full information about Office setup For Visiting Our Website kindly click on this link.
    office.com/setup

    ReplyDelete