Monday, February 27, 2017

Web Cache Deception Attack

Did it ever cross your mind that accessing links such as https://www.paypal.com/myaccount/home/stylesheet.css or https://www.paypal.com/myaccount/settings/notifications/logo.png might expose your sensitive data, and even allow attackers to take control over your account?
Web cache deception is a new web attack vector that puts various technologies and frameworks at risk.

A few words about caching and reactions

1. Websites often tend to use web cache functionality (for example over a CDN, a load balancer, or simply a reverse proxy). The purpose is simple: store files that are often retrieved, to reduce latency from the web server.
Let's see an example of web cache. Website http://www.example.com is configured to go through a reverse proxy. A dynamic page that is stored on the server and returns personal content of users, such as http://www.example.com/home.php, will have to create it dynamically per user, since the data is different for each user. This kind of data, or at least its personalized parts, isn't cached.
What's more reasonable and common to cache are static, public files: style sheets (css), scripts (js), text files (txt), images (png, bmp, gif), etc. This makes sense because these files usually don't contain any sensitive information. In addition, as can be found in various best practices articles about web cache configuration, it's recommended to cache all static files that are meant to be public, and disregard their HTTP caching headers.

2. The web cache deception attack counts on similar browsers' and web servers' reactions, in the same way as the RPO attack, explained in http://www.thespanner.co.uk/2014/03/21/rpo/ and http://blog.innerht.ml/rpo-gadgets/:
What happens when accessing a URL like http://www.example.com/home.php/non-existent.css?
A GET request to that URL will be produced by the browser. The interesting thing is the server's reaction – how does it interpret the request URL? Depending on its technology and configuration (the URL structure might need to be built slightly different for different servers), the server returns the content of http://www.example.com/home.php. And yes, the URL remains http://www.example.com/home.php/non-existent.css. The HTTP headers will be the same as for accessing http://www.example.com/home.php directly: same caching headers and same content type (text/html, in this case).

Done with the introduction

What happens if we access http://www.example.com/home.php/non-existent.css, while web cache for static files is set on the proxy server, disregarding caching headers for this kind of file? Let's analyze this process:
  1. Browser requests http://www.example.com/home.php/non-existent.css.
  2. Server returns the content of http://www.example.com/home.php, most probably with HTTP caching headers that instruct to not cache this page.
  3. The response goes through the proxy.
  4. The proxy identifies that the file has a css extension.
  5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.


Oh.


Taking advantage of it

An attacker who lures a logged-on user to access http://www.example.com/home.php/logo.png will cause this page – containing the user's personal content – to be cached and thus publicly-accessible. It could get even worse, if the body of the response contains (for some reason) the session identifier, security answers or CSRF tokens. All the attacker has to do now is to access this page on his own and expose this data.


An anecdote

Usually websites don't require authentication to access their public static files. Therefore, the cached files are publicly-accessible – no authentication required.

Conditions

So basically, two conditions are required for this vulnerability to exist:
  1. Web cache functionality is set for the web application to cache files by their extensions, disregarding any caching header.
  2. When accessing a page like http://www.example.com/home.php/non-existent.css, the web server will return the content of "home.php" for that URL.

Mitigation

  1. Configure the cache mechanism to cache files only if their HTTP caching headers allow. That will solve the root cause of this issue.
  2. If the cache component provides the option, configure it to cache files by their content type.
  3. Configure the web server so that for pages such as http://www.example.com/home.php/non-existent.css, the web server doesn’t return the content of "home.php" with this URL. Instead, for example, the server should respond with a 404 or 302 response.

Web Cache Deception in PayPal – PII Exposure

PayPal was vulnerable to web cache deception. The vulnerability is now fixed and was publicly disclosed.

Information that could be leaked by exploiting this vulnerability:
- Users' first & last names
- Account balance
- Last four credit card digits
- Transactions data
- Full passport number
- Email address
- Home address
- Phone number
- Any additional information included in vulnerable pages

Examples for some of the vulnerable pages:

Various static file extensions could be used to cache pages on PayPal (more than 40). Among them:
aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd, zip

Caching expiration
I've measured the time taken for the cached files to expire. It seems that after being accessed once (for the first time), a file is cached for ~5 hours. If it's accessed again during that time, the expiration time is extended. It's clear that this time period is more than enough for an attacker to "catch" the cached file on time before it expires, and by constantly monitoring this URL he can expose it as it's created.

Videos

Home page:


Settings page:


PayPal rewarded me with $3,000 for reporting this vulnerability.

User Hijacking via Web Cache Deception

I found this vulnerability in additional applications, which unfortunately cannot be disclosed to the public for different reasons (bummer, had some nice videos for that). In these applications, it was possible to take complete control over application users. This was possible because the session ID or security answers to recover a user's password were included in the HTML code of vulnerable pages. Big thanks to Sagi Cohen for the assistance.

IIS Demo

In the video below, a website is hosted on two web servers behind an IIS load balancer with Application Request Routing (ARR) installed.
A successful login redirects the users to the 'welcome.php' page, which contains their personal content. The load balancer is configured to cache all CSS files, and to disregard their caching headers.
An authenticated user accesses http://www.sampleapp.com/welcome.php/stylesheet.css. The IIS load balancer refers to the 'welcome.php' page as a directory, creates it in the cache directory, and caches 'stylsheet.css', which contains the user's private content.


57 comments:

  1. In the PayPal scenario, how did the proxy server even see the resources? Was it configured to do HTTPS interception and the client was configured to trust a dummy root certificate?

    ReplyDelete
  2. I guess the connection between the Client and the Proxy-Server is either HTTP or HTTPS. However, in order to cache the content, the connection between the Proxy-Server and the Web-Server must be HTTP. I was curious about this as well and it looks like you can build this kind of architecture with Pound (SSL-Wrapper and Reverse Proxy) which forwards decrypted HTTPS requests to a caching server (e.g. Varnish). Please correct me if explained anything wrong.

    ReplyDelete
  3. Nice vulnerability and well explained.

    ReplyDelete
  4. That's a great finding. Thank you for writing this blog post.

    ReplyDelete
  5. Great explanation, thanks for sharing

    ReplyDelete
  6. Great post. can I translate it on my blog?

    ReplyDelete
  7. Awesome attack. A Burp Extender is now available to make it easier to perform this attack: https://www.trustwave.com/Resources/SpiderLabs-Blog/Airachnid--Web-Cache-Deception-Burp-Extender/

    ReplyDelete
  8. I am trying to create a PoC on Web Cache Deception attack using apache as origin server and nginx as reverse proxy.
    As I see, by default nginx obeys cache-control headers sent from origin server.
    Therefore, inorder to create the PoC I have to make specific configurations to ignore the origin server's headers.

    I don't understand why would any one force the caching of static file extensions?
    In nginx, if you just set a rule to cache static files (like .jpg) and then hit the attack URL say http://www.xyz.com/personal.php/attack.jpg, even if the origin server sends the personal.php content, it also sends the related cache-control headers as you yourself have said.
    I have verified that these headers will be obeyed by nginx by default.
    Then that means for the Web Cache deception attack to be successful, the one doing the configuration has to have real low grade knowledge or may be he intentionally wants to let sensitive pages get cached.

    I understand the possibility of this attack in Akamai due to its Edge-Control header. But why the hell would any one set cache-control: no-cache, no-store headers for the static content like .jpg in the origin server and then try to overwrite it using the Edge-Control in reverse-proxy? Isn't it extra work?

    ReplyDelete
  9. Hire Kolkata and Hyderabad escorts Girls for they are so busty at home when they are alone with you. You will find sexy being up coming at them. They will tell you very dirty talk that will encourage to love the Escorts in Kolkata and Hyderabad for sex pleasures.
    Visit the website to booked the best of your choice.
    Escorts Service in Kolkata
    Today Nights
    Escorts Service in Hyderabad

    ReplyDelete
  10. Pakistan escorts
    Call girls in isb
    Escorts in isb
    Escorts in Lahore
    Lahore escorts
    Lahore Escort agency provides the best Escorts in Lahore plus Top Call Girls for Escort Dating & VIP Female Escorts in Lahore

    ReplyDelete
  11. Kartik Web Technology is one of the most leading IT Service provider company which is listed in Gurgaon. Gurgaon is now big IT sector where lots of famous companies are located. If you want to grow your business at higher level then you need a good website to represent your self in the Marketing. Hire us to design your company's website. We will convert your all mind imagination into reality. Give us chance to serve our services.

    Web designing company

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. This comment has been removed by the author.

    ReplyDelete








  14. πŸ¦‹ Escorts service in
    pakistani Lahore ✅ πŸ”΄
    Escorts in Lahore is the best key word to search call girls in Lahore
    we serve best and VIP escorts in Islamabad also.πŸ’―
    Vip best real escorts service provider miss honey +92 323 3333153 call now πŸ“ž,🌟








    Hello πŸ€ Vip call girls in lahore
    🌟
    my name is Miss Leena I am from Lahore I give you best ever Escorts Service in Lahore. I have many more new girls for you in your town (Pakistan) I not avalible only in Lahore I give you Escorts service in Lahore, Karachi Islamabad and Murree. I (Miss Leena) give you 100 scure and safe Sex in Lahore, College and school going girls also give you best service on the bed and off the bed also. I work in Lahore for last 6 years.
    Only I have top calss escorts service.🌟 miss leena +92 305 3777077 call now πŸ“ž,πŸ€

    ReplyDelete
  15. Showbiz Dating agency is one of the largest high-class independent Lahore Escorts providers. This city is growing rapidly to become an important commercial center in Pakistan +923212777792. So many businessmen are doing a lot of business in here for the reason that Lahore is a very famous and ancient of Pakistan. You will be impressed by the most excellent collection of Escorts in Lahore for your joy and satisfaction. You can get any type of female Escort if you are fond of Model Escort or Young call us now. https://lahoredikudiya.com/

    ReplyDelete
  16. Most Charming Model Escorts in Bahria Town alongside other young ladies in Lahore are known for giving brilliant service as your demand +923212777792, So enlist just from us, we have chosen the best prominent Call Girls in Bahria Town. Our extravagant Escort Service in Bahria Town offers models, big names and prominent call young ladies. Escorts for 100% adult fun fulfillment at moderate rates call us now. https://lahoredikudiya.com/escorts-in-bahria-town/

    ReplyDelete
  17. I WAS CURED FROM GENITAL HERPES VIRUS
    I came across lot of testimonies on health blogger site about doctor curing different diseases with Herbal medicine at first I was discouraged by my family that it was a scam, I decided to give the doctor a try. I contacted Dr.IZAZA with his official Email DRIZAZAHERBALCUREHOME@GMAIL.COM,which he replied and asked me few questions and method of preparation without any side effects.He then sent the Herbal medicine to me and with his prescription I took the herbal medicine for 21 days. I discovered that I no longer have night Fever and constant headaches and the outbreaks I used to have were gone when I was done taking the Herbal Medicine I went for test and my result was confirmed Negative with no trace of the virus on my blood. You too can be cured contact him through his Email:DRIZAZAHERBALCUREHOME@GMAIL.COM.or (WHATSAPP+2348103355314)
    He said he has Herbal cure for; diseases, Diabetes, Hepatitis, Cancer, Stroke, Arthritis, HIV, heart diseases, Painful menstruation and Typhoid....thanks to doctor IZAZA and ALL GLORY BELONG TO GOD...you can always reach HIM ON WHATSAPP +2348103355314

    ReplyDelete
  18. The year 2020 has become a tough year for individuals who have been run their businesses through emails reaching out to the clients. In that scenario, when Gmail stops receiving emails, users find no way to do anything. If you are facing the issue of Gmail not receiving emails 2020, you must get in touch with our Gmail team right away.

    ReplyDelete
  19. Gmail Crashing in Chrome is referred to as a major issue which the users encounter. This issue halts the user’s work from accessing the account. To eliminate the issue completely, you need to get in touch with the Gmail specialists and get rid of the issue immediately.

    ReplyDelete
  20. Really nice. Thanks for sharing this blog. Visit OGEN Infosystem for creative website designing and SEO Services in Delhi.
    Website Designing Company in Delhi

    ReplyDelete
  21. Yahoo is an online mail service provider available freely with many user-friendly features. Still, some naΓ―ve users are failed to proceed with their recover Yahoo mail password process when they are not able to remember the password for login. If you are encountering such difficulties to recover password by yourself, you must contact our executives.

    ReplyDelete
  22. it describes you, check out the top 5 dating sites for couples seeking men for threesome or swingers sex.. cuckold bull

    ReplyDelete
  23. Gmail is one such email service provider compatible with almost every popular browser. However, some Chrome users have been faced the issue of Gmail crashing in Chrome. If you are not able to troubleshoot this issue on your own, get-connected with our Gmail executive and resolve the issue on time.

    ReplyDelete
  24. The reason behind the issue of Yahoo temporary error 999 is due to the bandwidth limitation that Yahoo put in place on their server. Once the user has exceeded the allotted bandwidth for a particular period of time, the error message appears. If the error displays on your screen too, join with our team via Live Chat and get instant assistance.

    ReplyDelete
  25. If you are looking for all the hot Islamabad Escorts girls and also the special class Escorts to satisfy all your needs while looking for the best fun of your life +92-3000078885, then the VIP Escorts in Islamabad are very accessible for you. We have the best Escorts Service in Islamabad. Highly mature and can give you a pleasant joy. https://vk.com/islamabadescorts

    ReplyDelete
  26. AT&T is even though a well-known mail service for its wide range of features, yet users are not able to recover the missing emails via the ATT email restore feature. If you are too failed to recover the deleted emails on your own, you must get connected with our ATT service team for having valuable tips.

    ReplyDelete
  27. Welcome to Amritsar Escorts which is an independent Amritsar Escort. All the Amritsar companions in the city are sophisticated, well educated, intelligent, and gorgeous as well as wise.
    Follow Us:-

    Amritsar Escorts
    Amritsar Escorts Service
    Amritsar Call Girls
    Escorts Service in Amritsar
    Call Girls In Amritsar

    ReplyDelete
  28. FINALLY FREE FROM HERPES VIRUSI thought my life had nothing to offer anymore because lifebecame meaningless to me because I had Herpes virus, thesymptoms became very severe and bold and made my familyrun from and abandoned me so they won't get infected. I gaveup everything, my hope, dreams,vision and job because thedoctor told me there's no cure. I consumed so many drugs butthey never cured me but hid the symptoms inside me makingit worse. I was doing some research online someday when Icame across testimonies of some people of how DR Ebhotacured them from Herpes, I never believed at first and thoughtit was a joke but later decided to contact him on the detailsprovided and when I messaged him we talked and he sent mehis herbal medicine and told me to go for a test after twoweeks. Within 7 days of medication the symptomsdisappeared and when I went for a test Lo and behold I wasNEGATIVE by the Doctor Who tested me earlier. Thank you DREbhota because I forever owe you my life and I'll keep ontelling the world about you. If you are going through samesituation worry no more and contact DR Ebhota viadrebhotasolution@gmail. com or WhatsApp him via +2348089535482.he also special on cureing 1. HIV/AIDS2. HERPES 3. CANCER 4.ALS 5. HEPATITIS B 6.DIABETES 7. HUMAN PAPILOMA VIRUS DISEASE(HPV)8. ALZHEIMER 9. LUPUS (Lupus Vulgaris or LupusErythematosu

    ReplyDelete
  29. Most companies realize the importance of the SEO marketing, they are devoting more of their advertising budgets to search engine marketing services. We at Cappreciate that you need to convert clicks into business.

    Website development company in Delhi

    Best PPC Company in Delhi

    Facebook Marketing Services Delhi

    SEO Services Company in Delhi

    Best PPC Company in mumbai

    ReplyDelete