From c852118ec8971f5f7a457b9880f3c6b437865e0c Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Thu, 11 Jan 2024 12:20:25 +0100 Subject: [PATCH] Web Cache Deception + phpt file format --- .../Extension PHP/shell.phpt | 10 ++++++- Upload Insecure Files/README.md | 1 + Web Cache Deception/README.md | 28 ++++++++++++++++++- 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/Upload Insecure Files/Extension PHP/shell.phpt b/Upload Insecure Files/Extension PHP/shell.phpt index b1abb37..f5c0a3f 100644 --- a/Upload Insecure Files/Extension PHP/shell.phpt +++ b/Upload Insecure Files/Extension PHP/shell.phpt @@ -1 +1,9 @@ - \ No newline at end of file +--TEST-- +echo - basic test for echo language construct +--FILE-- + +--EXPECT-- +This works and takes args! \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 274e6bc..d5c58fe 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -219,3 +219,4 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/) * [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html) * [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) +* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html) \ No newline at end of file diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 1294dc3..f1386a2 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -1,6 +1,8 @@ # Web Cache Deception + > Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it. + ## Summary * [Tools](#tools) @@ -17,6 +19,7 @@ * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. + ## Exploit Example of Web Cache Deception: @@ -80,6 +83,16 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page ``` +## Tricks + +The following URL format are a good starting point to check for "cache" feature. + +* https://example.com/app/conversation/.js?test +* https://example.com/app/conversation/;.js +* https://example.com/home.php/non-existent.css + + + ## CloudFlare Caching CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0. @@ -87,6 +100,10 @@ CloudFlare caches the resource when the `Cache-Control` header is set to `public - The Cloudflare CDN does not cache HTML by default - Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/) + +In Cloudflare CDN, one can implement a `Cache Deception Armor`, it is not enabled by default. +When the `Cache Deception Armor` is enabled, the rule will verify a URL's extension matches the returned `Content-Type`. + CloudFlare has a list of default extensions that gets cached behind their Load Balancers. | | | | | | | | @@ -101,11 +118,18 @@ CloudFlare has a list of default extensions that gets cached behind their Load B | CLASS | EXE | JS | PICT | SWF | XLS | XLSX | +Exceptions and bypasses: + +* If the returned Content-Type is application/octet-stream, the extension does not matter because that is typically a signal to instruct the browser to save the asset instead of to display it. +* Cloudflare allows .jpg to be served as image/webp or .gif as video/webm and other cases that we think are unlikely to be attacks. +* [Bypassing Cache Deception Armor using .avif extension file - fixed](https://hackerone.com/reports/1391635) + ## Labs * [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) + ## References * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html) @@ -116,4 +140,6 @@ CloudFlare has a list of default extensions that gets cached behind their Load B - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws) - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws) * [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024) -* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability) \ No newline at end of file +* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability) +* [Cache Deception Armor - Cloudflare](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/) +* [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon - Jul 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9) \ No newline at end of file