mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-23 21:05:27 +00:00
Merge branch 'swisskyrepo:master' into master
This commit is contained in:
commit
ad93bb5e22
BIN
Web Cache Deception/Images/wcd.jpg
Normal file
BIN
Web Cache Deception/Images/wcd.jpg
Normal file
Binary file not shown.
After Width: | Height: | Size: 106 KiB |
@ -1,4 +1,5 @@
|
|||||||
# Web Cache Deception
|
# Web Cache Deception
|
||||||
|
> Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it.
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
@ -18,11 +19,19 @@
|
|||||||
|
|
||||||
## Exploit
|
## Exploit
|
||||||
|
|
||||||
1. Browser requests a resource such as `http://www.example.com/home.php/non-existent.css`.
|
Example of Web Cache Deception:
|
||||||
2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page.
|
|
||||||
3. The response goes through the proxy.
|
Imagine an attacker lures a logged-in victim into accessing `http://www.example.com/home.php/non-existent.css`
|
||||||
4. The proxy identifies that the file has a css extension.
|
|
||||||
5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
|
1. The victim's browser requests the resource `http://www.example.com/home.php/non-existent.css`
|
||||||
|
2. The requested resource is searched for in the cache server, but it's not found (resource not in cache).
|
||||||
|
3. The request is then forwarded to the main server.
|
||||||
|
4. The main server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct not to cache this page.
|
||||||
|
5. The response passes through the cache server.
|
||||||
|
6. The cache server identifies that the file has a CSS extension.
|
||||||
|
7. Under the cache directory, the cache server creates a directory named home.php and caches the imposter "CSS" file (non-existent.css) inside it.
|
||||||
|
8. When the attacker requests `http://www.example.com/home.php/non-existent.css`, the request is sent to the cache server, and the cache server returns the cached file with the victim's sensitive `home.php` data.
|
||||||
|
![WCD Demonstration](Images/wcd.jpg)
|
||||||
|
|
||||||
|
|
||||||
### Methodology - Caching Sensitive Data
|
### Methodology - Caching Sensitive Data
|
||||||
@ -35,7 +44,7 @@
|
|||||||
5. The content of the cache is displayed
|
5. The content of the cache is displayed
|
||||||
|
|
||||||
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||||
[![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093)
|
[![DEMO](https://i.vimeocdn.com/video/674856618-f9bac811a4c7bcf635c4eff51f68a50e3d5532ca5cade3db784c6d178b94d09a-d)](https://vimeo.com/249130093)
|
||||||
|
|
||||||
**Example 2** - Web Cache Deception on OpenAI
|
**Example 2** - Web Cache Deception on OpenAI
|
||||||
1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint.
|
1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint.
|
||||||
@ -92,6 +101,7 @@ CloudFlare has a list of default extensions that gets cached behind their Load B
|
|||||||
| CLASS | EXE | JS | PICT | SWF | XLS | XLSX |
|
| CLASS | EXE | JS | PICT | SWF | XLS | XLSX |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Labs
|
## Labs
|
||||||
|
|
||||||
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
|
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
|
||||||
|
Loading…
Reference in New Issue
Block a user