Web Cache Deception Attack

Presented at Black Hat USA 2017, July 26, 2017, 10:30 a.m. (25 minutes).

Web Cache Deception attack is a new web attack vector that puts various technologies and frameworks at risk. By manipulating behaviors of web servers and caching mechanisms, anonymous attackers can expose sensitive information of authenticated application users, and in certain cases to even take control over their accounts. The attack is amazingly simple to identify and exploit. During this talk, the audience will be introduced to an in-depth analysis of the anatomy, prerequisites and mitigation of the attack. The talk will proceed with the behaviors of different web servers and caching mechanisms, and will be capped off with examples of vulnerable websites and a live demo.


Presenters:

  • Omer Gil - Penetration Testing Lead, Independent
    Omer Gil is an information security team leader at EY Advanced Security Center, with seven years of experience in penetration testing, incident response, and technical training. In his position at EY, Omer leads a team of penetration testers that conduct security assessments, mainly on web applications and infrastructure. The team performs assessments for some of the largest companies all over the world, in industries as banking, insurance, gaming and hospitality.

Links:

Similar Presentations: