The end result is that a huge number of PHP applications unwittingly support these headers. Before we try using these headers for cache poisoning, I should point out they're also great for bypassing WAFs and security rules:.
A Practical Guide to Content Delivery Networks, Second Edition
If an application uses a cache, these headers can be abused to confuse it into serving up incorrect pages. The end result is that after sending this request, anyone who tries to access the Unity for education page gets a surprise:. The ability to swap around pages is more amusing than serious, but perhaps it has a place in a bigger exploit chain. Drupal is often used with third party caches like Varnish, but it also contains an internal cache which is enabled by default. This cache is aware of the X-Original-URL header and includes it in its cache key, but makes the mistake of also including the query string from this header:.
While the previous attack let us replace a path with another path, this one lets us override the query string:.
While reading Drupal's URL-override code, I noticed an extremely risky feature — on all redirect responses, you can override the redirect target using the 'destination' query parameter. Drupal attempts some URL parsing to ensure it won't redirect to an external domain, but this is predictably easy to bypass:. Drupal thinks the destination URL is telling people to access unity. Once again, by itself an open redirect is hardly exciting, but now we finally have all the building blocks for a serious exploit.
Other Drupal sites are less obliging, and don't import any important resources via redirects. Fortunately, if the site uses an external cache like virtually all high-traffic Drupal sites we can use the internal cache to poison the external cache, and in the process convert any response into a redirection. This is a two-stage attack. The end result is that clicking 'Download installer' on unity. This technique could also be used for a wealth of other attacks including inserting spoofed entries into RSS feeds, replacing login pages with phishing pages, and stored XSS via dynamic script imports.
This vulnerability was disclosed to the Drupal, Symfony and Zend teams on , and support for these headers has was disabled via a coordinated patch release on with the following references: SA-CORE , CVE , ZF As you could probably have guessed, some of these vulnerability reports triggered interesting reactions and responses. One triager, scoring my submission using CVSS, gave a CloudFront cache poisoning report an access complexity of 'high' because an attacker might need to rent several VPSs in order to poison all CloudFront's caches. Resisting the temptation to argue about what constitutes 'high' complexity, I took this as an opportunity to explore whether cross-region attacks are possible without relying on VPSs.
It turned out that CloudFront have a helpful map of their caches, and their IP addresses can be easily identified using free online services that issue DNS lookups from a range of geographical locations. As Cloudflare have even more regional caches, I decided to take a look at them too. Cloudflare publish a list of all their IP addresses online, so I wrote a quick script to request waf.
This showed that when targeting waf. The most robust defense against cache poisoning is to disable caching. This is plainly unrealistic advice for some, but I suspect that quite a few websites start using a service like Cloudflare for DDoS protection or easy SSL, and end up vulnerable to cache poisoning simply because caching is enabled by default.
Restricting caching to purely static responses is also effective, provided you're sufficiently wary about what you define as 'static'. Likewise, avoiding taking input from headers and cookies is an effective way to prevent cache poisoning, but it's hard to know if other layers and frameworks are sneaking in support for extra headers.
As such I recommend auditing every page of your application with Param Miner to flush out unkeyed inputs. Once you've identified unkeyed inputs in your application, the ideal solution is to outright disable them. Failing that, you could strip the inputs at the cache layer, or add them to the cache key. Some caches let you use the Vary header to key unkeyed inputs, and others let you define custom cache keys but may restrict this feature to 'enterprise' customers. Finally, regardless of whether your application has a cache, some of your clients may have a cache at their end and as such client-side vulnerabilities like XSS in HTTP headers should never be ignored.
Web cache poisoning is far from a theoretical vulnerability, and bloated applications and towering server stacks are conspiring to take it to the masses. We've seen that even well-known frameworks can hide dangerous omnipresent features, confirming it's never safe to assume that someone else has read the source code just because it's open-source and has millions of users. We've also seen how placing a cache in front of a website can take it from completely secure to critically vulnerable. I think this is part of a greater trend where as websites become increasingly nestled inside helper systems, their security posture is increasingly difficult to adequately assess in isolation.
Finally, I've built a little challenge for people to test their knowledge, and look forward to seeing where other researchers take web cache poisoning in future.
- Insights and Heresies Pertaining to the Evolution of the Soul (TREDITION CLASSICS).
- A Song of Ice and Fire (5) – A Dance With Dragons: Book 5.
- Policy-Based Network Management!
- A Practical Guide to Content Delivery Ne.
- More Bollocks to Alton Towers: More Uncommonly British Days Out.
You can find further research on this topic in my followup post Bypassing Web Cache Poisoning Countermeasures. This browser is no longer fully supported. We recommend upgrading to a more secure browser for an enhanced experience.
PortSwigger Research. Abstract Web cache poisoning has long been an elusive vulnerability, a 'theoretical' threat used mostly to scare developers into obediently patching issues that nobody could actually exploit. Core Concepts Caching To grasp cache poisoning, we'll need to take a quick look at the fundamentals of caching. In the diagram below, we can see three users fetching the same resource one after the other: Caching is intended to speed up page loads by reducing latency, and also reduce load on the application server.
Refine your editions:
Cache keys The concept of caching might sound clean and simple, but it hides some risky assumptions. Cache Poisoning The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. Methodology We'll use the following methodology to find cache poisoning vulnerabilities: Rather than attempt to explain this in depth upfront, I'll give a quick overview then demonstrate it being applied to real websites. Case Studies Let's take a look at what happens when the methodology is applied to real websites.
Here's a heavily redacted video of the attack: Video tags are not supported by your browser. Local Route Poisoning So far we've seen a cookie-based language hijack, and a plague of attacks that use various headers override the host. Please log in If an application uses a cache, these headers can be abused to confuse it into serving up incorrect pages. Internal Cache Poisoning Drupal is often used with third party caches like Varnish, but it also contains an internal cache which is enabled by default. Drupal Open Redirect While reading Drupal's URL-override code, I noticed an extremely risky feature — on all redirect responses, you can override the redirect target using the 'destination' query parameter.
Content Delivery Networks [Edition:1]
Understanding the IaaS approach 1. Platform architecture for cloud computing 2. Server offerings in cloud computing 3. Storage options in cloud computing 4.
Networking options in cloud computing 5. Managing a simple IaaS environment 6. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
- A Practical Guide to Content Delivery Networks.
- Glimpses of the Florida Everglades.
- Beer & Ingredients II, The Ultimate Beer Ingredient Guide, What does What. Take your homebrew to the next level, brewers ingredient guide..
- Remembering Mom and Dad.
CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Includes index. ISBN hardcover : alk. Computer networks. Internetworking Telecommunication 3. H