Caches are woven into websites throughout the net, discreetly juggling data between users, and yet they are rarely scrutinized in any depth. In this session, I'll show you how to remotely probe through the inner workings of caches to find subtle inconsistencies, and combine these with gadgets to build majestic exploit chains.
These flaws pervade all layers of caching - from sprawling CDNs, through caching web servers and frameworks, all the way down to fragment-level internal template caches. I'll demonstrate how misguided transformations, naive normalization, and optimistic assumptions let me perform numerous attacks including persistently poisoning every page on an online newspaper, compromising the administration interface on an internal DoD intelligence website, and disabling Firefox updates globally.
As usual, I won't waste your time talking about known techniques. When I presented 'Practical Web Cache Poisoning' in 2018, I targeted a design flaw in the caching concept. This time around I'll dive straight into implementation flaws, ensuring things get much, much messier, resulting in some of the riskiest, most hard-to-find attack techniques yet. Alongside an array of cache-attack techniques, you'll take away methodology and open-source tooling to tackle these technical challenges with confidence.