tag:blogger.com,1999:blog-85647313212956186042024-03-16T23:25:36.023-07:00Omer GilSecurity Research & Insights (@omer_gil)Omerhttp://www.blogger.com/profile/02479385117710166639noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8564731321295618604.post-57708570650186210992021-11-22T00:51:00.002-08:002021-11-22T00:51:20.525-08:00Bypassing required reviews using GitHub Actions<p>A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.</p>
<p>Link to the original post on Medium:<br/>
<a href="https://medium.com/cider-sec/bypassing-required-reviews-using-github-actions-6e1b29135cc7" target="_blank">https://medium.com/cider-sec/bypassing-required-reviews-using-github-actions-6e1b29135cc7</a></p>Omerhttp://www.blogger.com/profile/02479385117710166639noreply@blogger.comtag:blogger.com,1999:blog-8564731321295618604.post-36723013115590437342018-02-12T12:05:00.003-08:002018-02-12T12:10:05.371-08:00Web Cache Deception Attack Talks<span style="font-family: "arial" , "helvetica" , sans-serif;">Both talks about the Web Cache Deception attack are now available on YouTube:</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">- <a href="https://www.youtube.com/watch?v=mroq9eHFOIU" target="_blank">Black Hat USA 2017</a></span><br />
<br />
<span style="font-family: arial, helvetica, sans-serif;">- </span><a href="https://www.youtube.com/watch?v=FwFKaXM3QJ0" style="font-family: arial, helvetica, sans-serif;" target="_blank">BSidesTLV 2017</a>Omerhttp://www.blogger.com/profile/02479385117710166639noreply@blogger.comtag:blogger.com,1999:blog-8564731321295618604.post-80894529660633820232017-07-26T13:19:00.002-07:002021-10-27T04:22:57.864-07:00Web Cache Deception Attack: White Paper<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The Web Cache Deception attack vector was first published in this blog on February 2017. Since then, I presented it on Black Hat USA 2017 and BSides Tel-Aviv 2017.</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Now, I'm proud to release a white paper explaining all about this attack, including:</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">- Attack methodology</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">- Implications</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">- Conditions</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">- Known web frameworks and caching mechanisms that meet the attack conditions</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">- Mitigations</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf" target="_blank">Web Cache Deception Attack White Paper, July 2017</a></b></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">In addition, you can find the <a href="https://www.slideshare.net/OmerGil/web-cache-deception-attack" target="_blank">presentation used in the Black Hat USA 2017</a> conference.</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Huge thanks to all those who assisted along the way:</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Sagi Cohen, Bill Ben Haim, Sophie Lewin, Or Kliger, Gil Biton, Yakir Mordehay, Hagar Livne</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Would love to receive your feedback here and on Twitter (<a href="https://twitter.com/omer_gil" target="_blank">@omer_gil</a>).</span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div class="MsoNormal" dir="LTR" style="direction: ltr; unicode-bidi: embed;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">Enjoy!</span></div>
<div>
<br /></div>
Omerhttp://www.blogger.com/profile/02479385117710166639noreply@blogger.comtag:blogger.com,1999:blog-8564731321295618604.post-23608473629398090942017-02-27T07:53:00.000-08:002020-01-27T01:24:54.428-08:00Web Cache Deception Attack<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Did it ever cross your mind that accessing links such as <a href="https://www.paypal.com/myaccount/home/stylesheet.css">https://www.paypal.com/myaccount/home/stylesheet.css</a> or <a href="https://www.paypal.com/myaccount/settings/notifications/logo.png">https://www.paypal.com/myaccount/settings/notifications/logo.png</a> might expose your sensitive data, and even allow attackers to take control over your account?</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.</span><o:p></o:p></div><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">A few words about caching and reactions<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">1. Websites often tend to use web cache functionality (for example over a CDN, a load balancer, or simply a reverse proxy). The purpose is simple: store files that are often retrieved, to reduce latency from the web server.<span dir="RTL" lang="HE"><o:p></o:p></span></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Let's see an example of web cache. Website <a href="http://www.example.com/">http://www.example.com</a> is configured to go through a reverse proxy. A dynamic page that is stored on the server and returns personal content of users, such as <a href="http://www.example.com/home.php">http://www.example.com/home.php</a>, will have to create it dynamically per user, since the data is different for each user. This kind of data, or at least its personalized parts, isn't cached.<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">What's more reasonable and common to cache are static, public files: style sheets (css), scripts (js), text files (txt), images (png, bmp, gif), etc. This makes sense because these files usually don't contain any sensitive information. In addition, as can be found in various best practices articles about web cache configuration, it's recommended to cache all static files that are meant to be public, and disregard their HTTP caching headers.<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">2. The web cache deception attack counts on similar browsers' and web servers' reactions, in the same way as the RPO attack, explained in <a href="http://www.thespanner.co.uk/2014/03/21/rpo/">http://www.thespanner.co.uk/2014/03/21/rpo/</a> and <a href="http://blog.innerht.ml/rpo-gadgets/">http://blog.innerht.ml/rpo-gadgets/</a>:</span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">What happens when accessing a URL like <a href="http://www.example.com/home.php/non-existent.css">http://www.example.com<span style="color: #cc0000;">/home.php/non-existent.css</span></a>?</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">A GET request to that URL will be produced by the browser. The interesting thing is the server's reaction – how does it interpret the request URL? Depending on its technology and configuration (the URL structure might need to be built slightly different for different servers), the server returns the content of <a href="http://www.example.com/home.php">http://www.example.com/home.php</a>. And yes, the URL remains <a href="http://www.example.com/home.php/non-existent.css">http://www.example.com/home.php/non-existent.css</a>. The HTTP headers will be the same as for accessing <a href="http://www.example.com/home.php">http://www.example.com/home.php</a> directly: same caching headers and same content type (text/html, in this case).</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Done with the introduction<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">What happens if we access <a href="http://www.example.com/home.php/non-existent.css">http://www.example.com/home.php/non-existent.css</a>, while web cache for static files is set on the proxy server, disregarding caching headers for this kind of file? Let's analyze this process:</span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"></div><ol><li><span style="font-family: "arial" , "helvetica" , sans-serif;">Browser requests <a href="http://www.example.com/home.php/non-existent.css" style="text-indent: -18pt;">http://www.example.com/home.php/non-existent.css</a><span style="text-indent: -18pt;">.</span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Server returns the content of <a href="http://www.example.com/home.php" style="text-indent: -18pt;">http://www.example.com/home.php</a><span style="text-indent: -18pt;">, most probably with HTTP caching headers that instruct to not cache this page.</span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The response goes through the proxy.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The proxy identifies that the file has a css extension.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.</span></li>
</ol><br />
<br />
<div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Oh.</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5Hy8KgPIMyPDAr_xzypLMPEjbSDoCJ_WRvBSs-PAtyiYJYYqIyKteg68vZ1M65YjauF9zlMXlifGiv7p2LOAKCzAaqXShrFAzyn48FFvDP3zORL9mQOCiEQe4mgHXKOfMpguDexZTzI/s1600/Dr_Evil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj5Hy8KgPIMyPDAr_xzypLMPEjbSDoCJ_WRvBSs-PAtyiYJYYqIyKteg68vZ1M65YjauF9zlMXlifGiv7p2LOAKCzAaqXShrFAzyn48FFvDP3zORL9mQOCiEQe4mgHXKOfMpguDexZTzI/s320/Dr_Evil.jpg" width="320" /></span></a></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Taking advantage of it<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">An attacker who lures a logged-on user to access <a href="http://www.example.com/home.php/logo.png">http://www.example.com/home.php/logo.png</a> will cause this page – containing the user's personal content – to be cached and thus publicly-accessible. It could get even worse, if the body of the response contains (for some reason) the session identifier, security answers or CSRF tokens. All the attacker has to do now is to access this page on his own and expose this data.</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2umBTn2Uaz7gzStpmn6K05I6jg8DxI-pgtAxOrQXP8ZUtBvX5fRjafNsx1fzVc4ljGz7qRZqCq3-OLiwnirZBSRFi2aciqDdtTeR4jJZ5KDcHud9ooG4a09xx3EHM7lbzYHpL-Pg2Nes/s1600/Web_Cache_Manipulation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2umBTn2Uaz7gzStpmn6K05I6jg8DxI-pgtAxOrQXP8ZUtBvX5fRjafNsx1fzVc4ljGz7qRZqCq3-OLiwnirZBSRFi2aciqDdtTeR4jJZ5KDcHud9ooG4a09xx3EHM7lbzYHpL-Pg2Nes/s640/Web_Cache_Manipulation.png" width="640" /></span></a></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">An anecdote<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Usually websites don't require authentication to access their public static files. Therefore, the cached files are publicly-accessible – no authentication required.</span><o:p></o:p><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Conditions<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">So basically, two conditions are required for this vulnerability to exist:<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"></div><ol><li><span style="font-family: "arial" , "helvetica" , sans-serif;">Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">When accessing a page like <a href="http://www.example.com/home.php/non-existent.css">http://www.example.com/home.php/non-existent.css</a>, the web server will return the content of "home.php" for that URL.</span></li>
</ol><br />
<div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><o:p></o:p></div></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Mitigation<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><ol><li><span style="font-family: "arial" , "helvetica" , sans-serif;">Configure the cache mechanism to cache files only if their HTTP caching headers allow. That will solve the root cause of this issue.</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">If the cache component provides the option, configure it to cache files by their content type.</span></li>
<li><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Configure the web server so that for pages such as <a href="http://www.example.com/home.php/non-existent.css">http://www.example.com/home.php/non-existent.css</a>, the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response.</span></div></li>
</ol><br />
<div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span></div></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Web Cache Dec</span><span style="font-family: "arial" , "helvetica" , sans-serif;">eption in PayPal – PII Exposure<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">PayPal was vulnerable to web cache deception. The vulnerability is now fixed and was publicly disclosed.</span><o:p></o:p><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Information that could be leaked by exploiting this vulnerability:<o:p></o:p></span></b></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Users' first & last names<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Account balance<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Last four credit card digits<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Transactions data<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Full passport number<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Email address<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Home address<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Phone number<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- Any additional information included in vulnerable pages<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Examples for some of the vulnerable pages:<o:p></o:p></span></b></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- <a href="https://www.paypal.com/myaccount/home/attack.css">https://www.paypal.com/myaccount/home<span style="color: #cc0000;">/attack.css</span></a><o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- <a href="https://www.paypal.com/myaccount/settings/notifications/attack.css">https://www.paypal.com/myaccount/settings/notifications<span style="color: #cc0000;">/attack.css</span></a><span class="MsoHyperlink"><span style="color: red;"><o:p></o:p></span></span></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">- <a href="https://history.paypal.com/cgi-bin/webscr/attack.css?cmd=_history-details">https://history.paypal.com/cgi-bin/webscr<span style="color: #cc0000;">/attack.css</span>?cmd=_history-details</a><o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></b> <b><span style="font-family: "arial" , "helvetica" , sans-serif;">Various static file extensions could be used to cache pages on PayPal (more than 40). Among them:<o:p></o:p></span></b></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd, zip</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><br />
</b></span> <span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Caching expiration</b><o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">I've measured the time taken for the cached files to expire. It seems that after being accessed once (for the first time), a file is cached for ~5 hours. If it's accessed again during that time, the expiration time is extended. It's clear that this time period is more than enough for an attacker to "catch" the cached file on time before it expires, and by constantly monitoring this URL he can expose it as it's created.</span><o:p></o:p></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Videos<o:p></o:p></span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">Home page:</span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.paypal.com/myaccount/home">https://www.paypal.com/myaccount/home</a><o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;"><iframe allowfullscreen="" frameborder="0" height="360" src="https://player.vimeo.com/video/249130093" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">Settings page:</span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.paypal.com/myaccount/settings">https://www.paypal.com/myaccount/settings</a><o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;"><iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/e_jYtALsqFs?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div><span style="font-family: "arial" , "helvetica" , sans-serif;"><o:p></o:p></span><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></div><span style="font-family: "arial" , "helvetica" , sans-serif;"> History page:</span><br />
<br />
<a href="https://history.paypal.com/cgi-bin/webscr?cmd=_history-details" style="font-family: arial, helvetica, sans-serif;">https://history.paypal.com/cgi-bin/webscr?cmd=_history-details</a></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;"><iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/dgZVe7D8SRE?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span dir="RTL" lang="HE"><o:p></o:p></span></b></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">PayPal rewarded me with $3,000 for reporting this vulnerability.<o:p></o:p></span></div></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-size: 11pt; line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></span></span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">User</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> Hijacking via Web Cache Deception <o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">I found this vulnerability in additional applications, which unfortunately cannot be disclosed to the public for different reasons (bummer, had some nice videos for that). In these applications, it was possible to <b>take complete control</b> over application users. This was possible because the session ID or security answers to recover a user's password were included in the HTML code of vulnerable pages. Big thanks to <b><a href="https://www.linkedin.com/in/sagi-cohen-437b709a" target="_blank">Sagi Cohen</a></b> for the assistance.<o:p></o:p></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></div><h2 style="direction: ltr; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">IIS Demo<o:p></o:p></span></h2><div class="MsoNormal" style="direction: ltr; margin-top: 6pt; unicode-bidi: embed;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In the video below, a website is hosted on two web servers behind an IIS load balancer with Application Request Routing (ARR) installed.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">A successful login redirects the users to the 'welcome.php' page, which contains their personal content. The load balancer is configured to cache all CSS files, and to disregard their caching headers.<o:p></o:p></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="line-height: 115%;">An authenticated user accesses <a href="http://www.sampleapp.com/welcome.php/stylesheet.css">http://www.sampleapp.com/welcome.php/stylesheet.css</a>. The IIS load balancer refers to the 'welcome.php' page as a directory, creates it in the cache directory, and caches 'stylsheet.css', which contains the user's private content.</span></span></span></span></span></div><div class="MsoNormal" style="direction: ltr; unicode-bidi: embed;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="line-height: 115%;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span></span></span></span><br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;"><iframe allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/zMOVRPEhjtI?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div></div><br><a href="https://twitter.com/omer_gil?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-show-count="false">Follow @omer_gil</a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>Omerhttp://www.blogger.com/profile/02479385117710166639noreply@blogger.com