Presented at
DEF CON 32 (2024),
Aug. 10, 2024, 10:30 a.m.
(45 minutes).
In recent years, web cache attacks have become a popular way to steal sensitive data, deface websites, and deliver exploits. We've also seen parser inconsistencies causing critical vulnerabilities like HTTP Request Smuggling. This raises the question: what happens if we attack web caches' URL-parsers?
In this session, I'll introduce two powerful new techniques that exploit RFC ambiguities to bypass the limitations of web cache deception and poisoning attacks.
First, I'll introduce Static Path Deception, a novel technique to completely compromise the confidentiality of an application. I’ll illustrate this with a case study showing how such a breach can be replicated in environments like Nginx behind Cloudflare.
Next, I'll present Cache Key Confusion, and show how to exploit URL parsing inconsistencies in major platforms, including Microsoft Azure Cloud. I’ll then show how to achieve arbitrary cache poisoning and full denial of service.
Finally, I'll reveal how to supercharge these vulnerabilities with a live demo that blends Cache Key Confusion with a “non-exploitable” open redirect to execute arbitrary JS code for complete site takeover.
Attendees will depart armed with a set of innovative techniques, along with a definitive methodology to find and exploit these and other URL or HTTP discrepancies.
Web Cache Deception Attack - Omer Gil
[link](https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf)
This is the first time Web Cache Deception attacks were introduced and worked as a starting point for my research.
Web Cache Entanglement: Novel Pathways to Poisoning - James Kettle
[link](https://portswigger.net/research/web-cache-entanglement)
This research worked as an inspiration to develop the cache poisoning techniques. I also used this paper to outline the state of the art in web cache exploitation and create a different approach using parser discrepancies.
Cached and confused: Web cache deception in the wild - Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda and William Robertson.
[link](https://www.usenix.org/system/files/sec20-mirheidari.pdf)
The web cache deception techniques using delimiters for path confusion were inspired by the 2020 USENIX presentation “Cached and confused: Web cache deception in the wild”. In that presentation, they briefly describe some variations of path confusion using four encoded characters. Although the objective of their paper was to show a large-scale study of web cache deception vulnerabilities in the wild, it also introduced the use of delimiters for path confusion. In my presentation I'll expand on this concept, providing a methodology to find all the delimiters used by a URL parser and explaining how to use them in new exploitation techniques.
ChatGPT Account Takeover - Wildcard Web Cache Deception - Harel Security Research
[link](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html)
Also, during the time this research was being conducted, a vulnerability using a single variation of one of the techniques (Static Path Confusion) was published as a write up.
Presenters:
-
Martin Doyhenard
- Security Researcher at Portswigger
Martin Doyhenard is a Security Researcher at Portswigger, known for exploiting HTTP servers and web applications. Over the past few years he has presented his findings in multiple top security conferences including BlackHat, DEFCON, RSA, EkoParty, Hack in The Box and Troopers.
His latest work includes discovering HTTP Response Smuggling techniques and exploiting SAP’s Inter-Process Communication service - compromising more than 200 thousand companies in the world.He’s also passionate about low level reverse engineering and testing his skills in online CTFs.
Similar Presentations: