From d040c0e677bc7fa3c66e63055930ee27f7fdc842 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 28 Mar 2023 21:53:53 +0200 Subject: [PATCH] Web Cache Deception Methodology --- API Key Leaks/README.md | 12 +++++--- Web Cache Deception/README.md | 54 +++++++++++++++++++++++++++++++---- 2 files changed, 57 insertions(+), 9 deletions(-) diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md index f1c9369..e65d687 100644 --- a/API Key Leaks/README.md +++ b/API Key Leaks/README.md @@ -23,16 +23,20 @@ ## Tools -- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder) -- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks) -- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog) +- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web +- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid +- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place ```ps1 docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity trufflehog git https://github.com/trufflesecurity/trufflehog.git trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2 ``` -- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy) +- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets +- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints + ```powershell + nuclei -t token-spray/ -var token=token_list.txt + ``` ## Exploit diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md index 4171cd6..5645187 100644 --- a/Web Cache Deception/README.md +++ b/Web Cache Deception/README.md @@ -1,30 +1,51 @@ # Web Cache Deception +## Summary + +* [Tools](#tools) +* [Exploit](#exploit) +* [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data) +* [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript) +* [CloudFlare Caching](#cloudflare-caching) +* [Labs](#labs) +* [References](#references) + + ## Tools -* [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner) +* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner) > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities. ## Exploit -1. Browser requests `http://www.example.com/home.php/non-existent.css`. +1. Browser requests a resource such as `http://www.example.com/home.php/non-existent.css`. 2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page. 3. The response goes through the proxy. 4. The proxy identifies that the file has a css extension. 5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside. -## Methodology of the attack - example +## Methodology - Caching Sensitive Data + +**Example 1** - Web Cache Deception on PayPal Home Page 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/` 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css` 3. The page is displayed as /home and the cache is saving the page -4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css` +4. Open a private tab with the previous URL : `https://www.example.com/myaccount/home/malicous.css` 5. The content of the cache is displayed Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page [![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093) -## Methodology 2 +**Example 2** - Web Cache Deception on OpenAI +1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint. +2. Attacker distributes the link +3. Victims visit the legitimate link. +4. Response is cached. +5. Attacker harvests JWT Credentials. + + +## Methodology - Caching Custom JavaScript 1. Find an un-keyed input for a Cache Poisoning ```js @@ -49,6 +70,28 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page "> ``` + +## CloudFlare Caching + +CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0. + +- The Cloudflare CDN does not cache HTML by default +- Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/) + +CloudFlare has a list of default extensions that gets cached behind their Load Balancers. + +| | | | | | | | +|-------|------|------|------|------|-------|------| +| 7Z | CSV | GIF | MIDI | PNG | TIF | ZIP | +| AVI | DOC | GZ | MKV | PPT | TIFF | ZST | +| AVIF | DOCX | ICO | MP3 | PPTX | TTF | CSS | +| APK | DMG | ISO | MP4 | PS | WEBM | FLAC | +| BIN | EJS | JAR | OGG | RAR | WEBP | MID | +| BMP | EOT | JPG | OTF | SVG | WOFF | PLS | +| BZ2 | EPS | JPEG | PDF | SVGZ | WOFF2 | TAR | +| CLASS | EXE | JS | PICT | SWF | XLS | XLSX | + + ## Labs * [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning) @@ -62,3 +105,4 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page * [Web cache poisoning - Web Security Academy learning materials](https://portswigger.net/web-security/web-cache-poisoning) - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws) - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws) +* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)