Monday, February 27, 2017

Web Cache Deception Attack

Did it ever cross your mind that accessing links such as https://www.paypal.com/myaccount/home/stylesheet.css or https://www.paypal.com/myaccount/settings/notifications/logo.png might expose your sensitive data, and even allow attackers to take control over your account?
Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.

A few words about caching and reactions

1. Websites often tend to use web cache functionality (for example over a CDN, a load balancer, or simply a reverse proxy). The purpose is simple: store files that are often retrieved, to reduce latency from the web server.
Let's see an example of web cache. Website http://www.example.com is configured to go through a reverse proxy. A dynamic page that is stored on the server and returns personal content of users, such as http://www.example.com/home.php, will have to create it dynamically per user, since the data is different for each user. This kind of data, or at least its personalized parts, isn't cached.
What's more reasonable and common to cache are static, public files: style sheets (css), scripts (js), text files (txt), images (png, bmp, gif), etc. This makes sense because these files usually don't contain any sensitive information. In addition, as can be found in various best practices articles about web cache configuration, it's recommended to cache all static files that are meant to be public, and disregard their HTTP caching headers.

2. The web cache deception attack counts on similar browsers' and web servers' reactions, in the same way as the RPO attack, explained in http://www.thespanner.co.uk/2014/03/21/rpo/ and http://blog.innerht.ml/rpo-gadgets/:
What happens when accessing a URL like http://www.example.com/home.php/non-existent.css?
A GET request to that URL will be produced by the browser. The interesting thing is the server's reaction – how does it interpret the request URL? Depending on its technology and configuration (the URL structure might need to be built slightly different for different servers), the server returns the content of http://www.example.com/home.php. And yes, the URL remains http://www.example.com/home.php/non-existent.css. The HTTP headers will be the same as for accessing http://www.example.com/home.php directly: same caching headers and same content type (text/html, in this case).

Done with the introduction

What happens if we access http://www.example.com/home.php/non-existent.css, while web cache for static files is set on the proxy server, disregarding caching headers for this kind of file? Let's analyze this process:
  1. Browser requests http://www.example.com/home.php/non-existent.css.
  2. Server returns the content of http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page.
  3. The response goes through the proxy.
  4. The proxy identifies that the file has a css extension.
  5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.


Oh.


Taking advantage of it

An attacker who lures a logged-on user to access http://www.example.com/home.php/logo.png will cause this page – containing the user's personal content – to be cached and thus publicly-accessible. It could get even worse, if the body of the response contains (for some reason) the session identifier, security answers or CSRF tokens. All the attacker has to do now is to access this page on his own and expose this data.


An anecdote

Usually websites don't require authentication to access their public static files. Therefore, the cached files are publicly-accessible – no authentication required.

Conditions

So basically, two conditions are required for this vulnerability to exist:
  1. Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header.
  2. When accessing a page like http://www.example.com/home.php/non-existent.css, the web server will return the content of "home.php" for that URL.

Mitigation

  1. Configure the cache mechanism to cache files only if their HTTP caching headers allow. That will solve the root cause of this issue.
  2. If the cache component provides the option, configure it to cache files by their content type.
  3. Configure the web server so that for pages such as http://www.example.com/home.php/non-existent.css, the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response.

Web Cache Deception in PayPal – PII Exposure

PayPal was vulnerable to web cache deception. The vulnerability is now fixed and was publicly disclosed.

Information that could be leaked by exploiting this vulnerability:
- Users' first & last names
- Account balance
- Last four credit card digits
- Transactions data
- Full passport number
- Email address
- Home address
- Phone number
- Any additional information included in vulnerable pages

Examples for some of the vulnerable pages:

Various static file extensions could be used to cache pages on PayPal (more than 40). Among them:
aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd, zip

Caching expiration
I've measured the time taken for the cached files to expire. It seems that after being accessed once (for the first time), a file is cached for ~5 hours. If it's accessed again during that time, the expiration time is extended. It's clear that this time period is more than enough for an attacker to "catch" the cached file on time before it expires, and by constantly monitoring this URL he can expose it as it's created.

Videos

Home page:


Settings page:


PayPal rewarded me with $3,000 for reporting this vulnerability.

User Hijacking via Web Cache Deception

I found this vulnerability in additional applications, which unfortunately cannot be disclosed to the public for different reasons (bummer, had some nice videos for that). In these applications, it was possible to take complete control over application users. This was possible because the session ID or security answers to recover a user's password were included in the HTML code of vulnerable pages. Big thanks to Sagi Cohen for the assistance.

IIS Demo

In the video below, a website is hosted on two web servers behind an IIS load balancer with Application Request Routing (ARR) installed.
A successful login redirects the users to the 'welcome.php' page, which contains their personal content. The load balancer is configured to cache all CSS files, and to disregard their caching headers.
An authenticated user accesses http://www.sampleapp.com/welcome.php/stylesheet.css. The IIS load balancer refers to the 'welcome.php' page as a directory, creates it in the cache directory, and caches 'stylsheet.css', which contains the user's private content.

141 comments:

  1. In the PayPal scenario, how did the proxy server even see the resources? Was it configured to do HTTPS interception and the client was configured to trust a dummy root certificate?

    ReplyDelete
  2. I guess the connection between the Client and the Proxy-Server is either HTTP or HTTPS. However, in order to cache the content, the connection between the Proxy-Server and the Web-Server must be HTTP. I was curious about this as well and it looks like you can build this kind of architecture with Pound (SSL-Wrapper and Reverse Proxy) which forwards decrypted HTTPS requests to a caching server (e.g. Varnish). Please correct me if explained anything wrong.

    ReplyDelete
  3. Nice vulnerability and well explained.

    ReplyDelete
  4. That's a great finding. Thank you for writing this blog post.

    ReplyDelete
  5. Great explanation, thanks for sharing

    ReplyDelete
  6. Great post. can I translate it on my blog?

    ReplyDelete
  7. Awesome attack. A Burp Extender is now available to make it easier to perform this attack: https://www.trustwave.com/Resources/SpiderLabs-Blog/Airachnid--Web-Cache-Deception-Burp-Extender/

    ReplyDelete
  8. I am trying to create a PoC on Web Cache Deception attack using apache as origin server and nginx as reverse proxy.
    As I see, by default nginx obeys cache-control headers sent from origin server.
    Therefore, inorder to create the PoC I have to make specific configurations to ignore the origin server's headers.

    I don't understand why would any one force the caching of static file extensions?
    In nginx, if you just set a rule to cache static files (like .jpg) and then hit the attack URL say http://www.xyz.com/personal.php/attack.jpg, even if the origin server sends the personal.php content, it also sends the related cache-control headers as you yourself have said.
    I have verified that these headers will be obeyed by nginx by default.
    Then that means for the Web Cache deception attack to be successful, the one doing the configuration has to have real low grade knowledge or may be he intentionally wants to let sensitive pages get cached.

    I understand the possibility of this attack in Akamai due to its Edge-Control header. But why the hell would any one set cache-control: no-cache, no-store headers for the static content like .jpg in the origin server and then try to overwrite it using the Edge-Control in reverse-proxy? Isn't it extra work?

    ReplyDelete
  9. Nice article is very good and wonderful information was provided in your site, thanks for sharing.for more information visit our website.
    PHP Training in Hyderabad

    ReplyDelete

  10. Thanks For Sharing. It IS very helpful For Everyone ....
    If You Are Looking Best PHP training in chandigarh click here

    ReplyDelete
  11. This information is genuinely beneficial and important for me and I am sure it would work the same for other seekers as well. Keep blogging.
    Website Design Agency | Website design company in Lucknow

    ReplyDelete
  12. Thank you. Well it was the nice to post and very helpful information on Ruby on Rails Online Course

    ReplyDelete
  13. wooooowwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

    ReplyDelete
  14. Really it was an awesome article… very interesting to read…
    Thanks for sharing.........
    Best Web Development company in India

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. I really appreciate the impressive and knowledgeable blog. The IT Company and its services that the businessmen like to use for the business are doing very well in the business market. This is the reason that the IT services are in demand.

    Website Development Company in Lucknow | Software Company in Lucknow

    ReplyDelete
  17. Web design company actually operate with business website's Containing block, Geometrical figures and shapes, Navigation, Graphical Design Patterns, Whitespace, Drop shadows and depth, Particle backgrounds, Mobile Friendly Designs, ChatBots, Scrolling Effects, Asymmetry and broken grid layouts for achieving clean responsive web design for your business website. Rest of the operations like Search Engine Optimization, Analytics, Marketing, Partnership, Enhance the rate of conversion, Mobile Application, Logo, Presentation and Video should taken care by another domain specific company.

    ReplyDelete
  18. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.sss
    Website Design
    SEO Services in Warangal
    Php Services in Warangal
    Digital marketing services in warangal

    ReplyDelete
  19. World's most trusted and reliable cryptocurrency exchange ethereum to paypal dollars cash or transfer it into your bank account with 0% fee. converting crypto coins into real money become so much easy (( 0:)) for you. have a good day

    ReplyDelete
  20. HighMark Security is a direct supplier of security cameras, video surveillance systems, and CCTV equipment. We supply analog CCTV cameras, HD security cameras, IP cameras, and complete video surveillance systems worldwide. We supply our equipment to homeowners, business owners, government agencies, and any other type of organization, any size. Most of our business comes from the Da Nang, however, we do ship our products everywhere in the world. No project is too small or too large for us to handle. We have trained sales engineers that can help design a system that will fit your requirements and budget. Mua may dinh vi, CCTV Camera, IP Camera Lap Camera Da Nang, Security Systems, Analog Camera, Smart Home Store, Omnipolis, DVR, NVR, Video Management Software, camera ip wifi da nang, read more: lap dat camera da nang. HighMark Security has earned a reputation with the best technical support and customer service in the Da Nang security camera industry, lap camera da nang, sua chua camera da nang dich vu camera da nang

    ReplyDelete

  21. The article provided by you is very nice and it is very helpful to know the more information.keep update with your blogs .I found a article related to you..once you can check it out.

    top web designing companies in hyderabad
    web designers in hyderabad
    best website designing company in Hyderabad

    ReplyDelete
  22. Thanks for yours information. Yours information efficiently done it. Android mobile App development in Singapore

    ReplyDelete
  23. Thank you for the link building list.I am going jot down this because it will help me a lot.Great blog! Please keep on posting such blog

    white label website builder

    ReplyDelete
  24. One of the best blog posts I've read! Thanks a ton for sharing this!
    Web Hosting in Malaysia

    ReplyDelete
  25. Excellent website. Lots of useful information here, thanks in your effort! . For more information please visit

    top web designing companies in hyderabad
    web designers in hyderabad
    best website designing company in Hyderabad

    ReplyDelete
  26. Good luck ,, in waiting for other information from your site
    send regards for success

    cara membuat pakan alternatif
    cara mengurangi rontok pada bunga

    ReplyDelete
  27. You can avail its benefits with our customized iPad application development services. Augurs is a full-service iOS, iPad app development company providing services that cover the entire development cycle, from concept to distribution.

    ReplyDelete
  28. Wonderful blog on website cache sites. We have been working on Website using HTML/CSS, PHP, Javascript etc. We have been the best Web Designing Company in Hyderabad with a strong foundation.

    ReplyDelete
  29. Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job.
    Best Cross Platform Mobile Development

    ReplyDelete
  30. Useful Information, your blog is sharing unique information....
    Thanks for sharing!!!Software Development company Lucknow

    ReplyDelete
  31. I appreciated perusing your article on the subject Best Web Hosting for Small Business.It was composed and created so well. It was useful also. The article on your site is luxuriously made. I'm completely gotten a kick out of investigating through the article. I like inquisitive about articles on isolated subjects. I am super astounded and will diagram your site all around. Befuddling articles on your site legitimizes the intrigue. This is an astounding piece of work. I detectably welcome the quality structure on this site.

    ReplyDelete

  32. This site is helping for every person and easily get money through the bitcoin ATM card. Please visit this site for bitcoin atm card ranking. you can change any money into another currency in anywhere in the world

    ReplyDelete
  33. Nice information.. Thanks for sharing this blog. see my website also
    Website Designing Company in delhi which will help you to get a professional website at affordable cost .we provide web designing Services solutions to our valuable clients.... VIEW MORE:- Website Designing Company in Delhi

    ReplyDelete
  34. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    brochure designers in kphb
    logo designers in kphb
    webdesigning company in madhapur

    ReplyDelete
  35. DABBL Brand is a leading manufactures supplier for bathroom glass shower enclosure, shower screen, shower cubicle, custom, sliding, hinge frameless glass shower doors, trays and many more with best quality, design and reasonable price whatsapp India at 7289865657 email at export3@dabbl.de visit here to get information Shower Doors, Enclosures, Cubicle, Bath Screen, Tray, Stall

    ReplyDelete
  36. Web Design

    Web Design Agency team can help you to craft an elegant web design that fits your brand. We are very passionate about UX and UI also expertise in stunning web design to meet your goals of increasing engagement and boosting conversions to attract your audience.

    https://www.frescodesign.com.hk/web-design-hong-kong/

    ReplyDelete
  37. The Escorts in Karachi are very talented, as not only they are completely beautiful but also know how they can be best as your partners.
    Karachi Call Girls
    She is a perfect busty escorts Karachi girl who can switch on your smile ... parts of Karachi for in-call as well as out-call, such as defence etc.
    https://karachicalgirlsescorts.com/

    ReplyDelete
  38. Mapzi Technology is a leading Information and Web Development Company in New Delhi. We focused especially serving best website designing and SEO(Search Engine Optimization) services in New Delhi.

    ReplyDelete
  39. Good article. Thanks for sharing content and such nice information for me. I hope you will share some more content about. Web cache Please keeps sharing!

    altsols

    ReplyDelete
  40. Web Design

    Web Design Agency team can help you to craft an elegant web design that fits your brand. We are very passionate about UX and UI also expertise in stunning web design to meet your goals of increasing engagement and boosting conversions to attract your audience.


    to get more - https://www.frescodesign.com.hk/web-design-hong-kong/

    ReplyDelete
  41. Thanks for sharing this Article. I regularly follow your blogs. i would suggest if any one to know more about ERP for visit ERP Software free Demo, ERP Software for Manufacturing Industries,

    ReplyDelete
  42. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site. If you are looking for architecture company in Hyderabad

    ReplyDelete
  43. Web Design

    Web Design Agency team can help you to craft an elegant web design that fits your brand. We are very passionate about UX and UI also expertise in stunning web design to meet your goals of increasing engagement and boosting conversions to attract your audience.

    https://www.frescodesign.com.hk/web-design-hong-kong/

    ReplyDelete
  44. Branding Agency

    Branding Agency FRESCO is represented for designing solid brand characteristic to construct strong branding strategies for the clients.

    https://www.frescodesign.com.hk/branding-agency-hong-kong/

    ReplyDelete
  45. In order to stay connected to the world around you, mobiles were invented and to use it you need to keep recharging it with balance. The basic concept of top up phone with bitcoin money is quite different from the paper money.

    ReplyDelete
  46. The era has been running and the acceleration is provided by the online services. Therefore the online might act as the catalyst to look for the top IAS institute in Delhi. The utility of online isfast and accurate.
    Top IAS institute in Delhi
    upsc coaching in Agra
    UPSC coaching in Delhi

    ReplyDelete
  47. The whole blog is filled with lots of knowledge which is really appreciable. Thanks admin for posting it. The IT Company and its services are in demand to enhance the business profit as well as area.
    SEO Company in Lucknow | IT Company in Lucknow

    ReplyDelete
  48. I just want to thank you for sharing your information and your site or blog this is simple but nice Information I’ve ever seen i like it i learn something today. Simi Valley Web Designers

    ReplyDelete
  49. Bams Lahore is the Best Development Company in Lahore. We Provide Completely Customized Web Solutions for your Organizations different Web Requirements
    web development companies in lahore
    web development services

    ReplyDelete
  50. Thanks for sharing content and such nice information for me. I hope you will share some more content about. web cache deception Please keep sharing!

    php development

    ReplyDelete
  51. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    flat in hitech city
    independent house for sale
    best flat in gachibowli

    ReplyDelete
  52. Web Design and Web Development Services in India - Get your website designing & developed by expert team at affordable price, 100% On-Time Delivery. Mapzitech is the best Web Design Company In Delhi. We provide the best Web Designing Services Company In Delhi. Affordable web design service in New delhi.

    ReplyDelete

  53. that was really nice blog what you shared..that collection gives good information..keep update with your blogs..web designing companies in warangal
    web designers in warangal
    web designing company in warangal

    ReplyDelete
  54. Is jankari ke liye bahut bahut dhanyavad

    ReplyDelete
  55. Thank you for sharing your thoughts and knowledge on this topic. This is really helpful and informative, as this gave me more insight to create more ideas and solutions for my plan. I would love to see more updates from you.

    Web Hosting Services

    ReplyDelete
  56. Thank you for sharing your thoughts and knowledge on this topic.
    This is excellent information

    Openstack Training online

    ReplyDelete
  57. I have found that this site is very informative, interesting and very well written. keep up the nice high quality writing. Digital Marketing Firm Simi Valley

    ReplyDelete
  58. Hi,this is Very Nice information Regarding your Software Company and Beautiful Blog Also. So Np compete Also one of the Ios, Android, Java, Devops, UX, Ui, Chat Bot, Company in Chennai
    If you want any job Regarding above Positions,, Please give to Your Queries and send your Resume Back to this mail: sales@npcompete.com

    ReplyDelete
  59. We offer best VIP Karachi escorts model. Hot call girls in Karachi Pakistan. Cheap celebrity ladies escort services in Karachi. Karachi escorts have a variety of baby Pakistani cal girl escorts.
    http://vipkarachiescorts.club/

    ReplyDelete
  60. Excellent and decent post. I found this much informative, as to what I was exactly searching for. Thanks for such post and please keep it up.
    Website Development Company
    Web Development Company in Delhi
    Website Development Company in Delhi NCR
    Web Development Company in Delhi NCR

    ReplyDelete
  61. Emulate Infotech Pvt. Ltd is the best Web Design and Development Company in Lucknow providing high quality and cost effective services including responsive web designing, re-designing, ecommerce website development and shopping cart development. Web Designing in Lucknow | Website Development Company in Lucknow

    ReplyDelete
  62. Nice blog, very interesting to read
    I have bookmarked this article page as i received good information from this.

    Best ERP Software in India | ERP Software in India

    Cloud Based ERP Software in India | Low Price ERP Software in India

    ReplyDelete
  63. DABBL Brand- Large Bathroom Shower Products Manufacture. Select shower enclosure, shower doors, shower cubicle, stalls, cabin that completely fits and beautify your bathroom space. DABBL Shower Enclosures come in a large array of shapes, size, design with best quality and design at export3@dabbl.de more information visit here Buy Top Brand Shower Cubicle, Shower Doors, Enclosures

    ReplyDelete
  64. Looking for Banquet halls or Banquet halls in ECR/Mahabalipuram? Our Landmarkpallavaa beach resort is becoming one of the favorite event hubs in ECR/Mahabalipuram. Book now to get a good deal.

    Banquet Halls in Mahabalipuram

    ReplyDelete
  65. Advertising AgencyBranding Agency FRESCO specializes in web design, digital marketing, corporate image, graphic design, logo design, e-commerce, advertising and social media

    ReplyDelete
  66. Here you will find permanent seo solutions to your web project, You can save cost to find more customers online with organic search engine marketing techniques.

    ReplyDelete

  67. Lopamudra Creative is a multifarious design and creative advertising agency in Delhi and Gurgaon, India,Choosing a creative agency to create advertising for your company can be

    confusing and difficult.
    App Design Company India
    creative agency in gurgaon
    creative app design agency
    advertising agencies
    advertising agency in gurgaon
    marketing and advertising companies
    best advertising agency in india

    ReplyDelete
  68. Thanks for sharing this information with us and it was a nice blog.You can visit here if you are looking for a Digital Marketing Services
    Digital Marketing Agency
    Digital Marketing Company
    advertising agency in gurgaon
    Digital Marketing Services
    Digital Marketing India

    ReplyDelete
  69. Welcome to pinnacle Escorts organisation in Lahore Lahore is one of the fine cities in the global and it's miles the 2d largest town in Pakistan and as properly the Capital of Punjabi province. Lahore Escorts is the fifth biggest city in South Asia and 26th inside the global. Lahore is a favourite tourist destination because the tradition of Lahore Escorts constantly drawn to foreigners. Lahore is a most effective of Pakistan’s most interesting and unique towns and is second best to Karachi in length. The town is factually the primary town of Punjab and is regularly stated too Because of cultural hub of Pakistan, with fairly some thrilling fascinations to satisfaction the informal vacationer. people come to Lahore only for amusing and leisure and we're an escort based totally agency in Lahore.





    http://www.lahorecallgirls.com/

    ReplyDelete
  70. I have read this blog it amazing blog; it’s providing more information... If you are looking for a industrial training in mohali location
    Click here=> PHP industrial training mohali
    web designing training mohali
    SEO training in mohali
    6/Six months PHP industrial training in mohali

    ReplyDelete
  71. Thanks for sharing informative post to readers! And know the best Ios App Development Company in Hyderabad -Maxwell to enhance your business.

    ReplyDelete
  72. Thanks on sharing this useful information. Visit https://www.indiatripdesigner.com
    Golden Triangle Tour 5 Days

    Thanks and best regards
    Manoj Sharma
    www.indiatripdesigner.com
    ☎+91-9837332533

    ReplyDelete