Behind the Scene : Web Cache Deception Attack

3 years ago 195
BOOK THIS SPACE FOR AD
ARTICLE AD

This is a type of attack that affects web frameworks and caching mechanisms. Simply understand this as an attack, where an attacker can expose the private information of a user or even leverage the attack to Account takeover.

We all know that Websites uses cache mechanism to reduce the web server latency so that, the user can access the content much faster and eliminating the load from server to fetch the details again and again.

Though there are several ways to Implement Caching. But here, we’ll take a look on two most common techniques used.

Files that are Commonly cached are static and public files:-

Style sheets (css)Scripts (js)Text Files (txt)Images (bmp,gif,png etc.)

Caching on Browsers

Understand the concept by a simple flow:-

File Cached on the browser -> Browser will not request the server for particular file -> Latency reduced. This type is not relevant to the Deception attack.

Caching on Server

This is of our interest as it is relevant for this type of attack. This service can be carried out by :-

Load Balancer :- Though its role is to balance the traffic among two servers but it can also cache content to reduce latency of server.Reverse proxy:- It takes out the content from web server on behalf of client and cache the content.CDN(Content Delivery Network) :- Here there are basically several network of proxies whose role is to serve the content faster.

Okay so enough of theory. But it is important to understand the #BehindtheScene.

I will simplify it for you by breaking down it into simpler steps:-

Let’s say you visited a application with URL www.ethicalkaps.com/profile.php.After that you specified any Css/txt/image or js file. (As explained earlier that they are commonly cached file.)Now I specify my image let’s say hackers.png as- www.ethicalkaps.com/profile.php/hackers.png . So here request arrives at the proxy which is not familiar with this file. The proxy will ask the Server to fetch this file.When you load this URL. (Let’s analyze #BehindtheScene). The Browser sends GET request to that URL. Now, depending upon the server’s technology being used it may reflect 200 OK Response along with the content of www.ethicalkaps.com/profile.php that means URL will stay the same.Now what happens our caching mechanism (In this case our proxy) will receive the file and identifies that URL ends with hackers.png. Now the cached content will be stored over there.Now, if attacker access the page www.ethicalkaps.com/profile.php/hackers.png. The request will arrive at proxy server which directly returns the victim’s cached Profile page. i.e. he’ll receive the content of profile.php which may contain sensitive data.When accessing the content www.ethicalkaps.com/profile.php/hackers.png the webserver returns the content of profile.php.Victim must be authenticated while accessing the Vulnerable URL.Web cache functionality is set for the web application to cache files by their extensions.(such as .js, .txt, .css, etc..)

Note:- This attack is not limited to only this methodology. There are different web frameworks and caching mechanisms that allows an attacker to perform this deception attack.

So, this is it for this Article I hope you enjoyed it. I will come back to you with another #BehindtheScene. Till then, take care and Keep Hunting for good. Keep Digging and learning new stuffs.

If you like the content then, you can support me over here :- @buymeacoffee.com/ethicalkaps

See you in the next Article. Until then Cherish your life. Peace!😍

You can Follow me on Twitter, on Spotify to listen my writeups and on Instagram.

Reference:- https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf

Read Entire Article