What is web cache poisoning attack and web cache deception attack?

What is web cache poisoning attack and web cache deception attack?

Web cache poisoning attack is a major harmful attack where the victim will be delivered with malicious content. This will  poison the behaviour of the real website and the visitors to the website can even point to some harmful server. The attacker can execute this by sending certain request that inject or save some malicious responses into the cache systems.


Whereas the web cache deception attack is when the attacker tries to request certain website url’s and it will then serve the attacker other users cached website data, that may contain their confidential information. This happens if your web application is poorly configured with a flexible url paths. Web cache deception attacks is possible just by fooling the cache mechanism systems like CDN. 


So, before understanding how the bad guy executes this type of attack, one must understand about the caching mechanism and the DNS. 


What are the types of caching mechanism?


    • CDN (Content delivery network)  is a distributed network of proxies all over the world. CDN caches the website data and the closest CDN network group to the users will be the one surfing the content. 
    • Load Balancer is to balance the traffic between more than one server. Load balancers can also cache the website content in order to deliver it to the user as fast as possible.
    • Reverse Proxy is function as a web server front end that can send the request to the web server on behalf of the user. A reverse proxy can also cache the web application content.


What is a DNS (Domain Name System)?


DNS is a system that looks into the web domain addresses and translate them to their IP addresses that points to a specific web server. So when you type a domain into your browser or mobile app, DNS system will work as internet phonebook and points the user to the specific server-based on their translated IP address to deliver the right content.


How to execute web cache poisoning attack?


If an attacker can hack the DNS resolver cache and establish the attackers domain name into it, they can redirects the real visitors of the website to the attackers server. Now when the users redirects to the bad guys server, he might be able to exploit many other attacks through this, that is the big danger behind the DNS poisoning attack.
Now lets see the game and how the web cache poisoning attack is made possible. There are a different ways to do this. Lets see some basic examples here.

 

REQUEST
​​​​​​​GET /en?cb=1 HTTP/1.1
Host: www.target-website.com
X-Forwarded-Host: attacker.com

 

RESULT 
HTTP/1.1 200 OK
Cache-Control: public, no-cache
…
<meta property="og:image" content="https://attacker.com/.....png" />

Here the attacker executed a plain request with  X-Forwarded-Host  as attackers host, and the end result is amazing the attackers web files got cached in the cache system, so when the next users tries to reach the target website will be served with the attackers data.

The X-Forwarded-Host fooled the web cache system and it is used by the application and generated meta files inside the cache system. Now we can exploit more to understand all the possibilities of injecting our desired codes into the caching system. See whether it is exploitable with cross site scripting. Do you know some poorly configured cache system even accepts plain JavaScript passed inside the X-Forwarded-Host header

How to execute web cache deception attack?

This is very easy to execute. Consider the target website have account login and my account page. So your target website has information of multiple users.
Lets use two different browsers chrome and Firefox.
Chrome user log into the target website and successfully redirected to his account page.
Now at this point of time if an attacker serves this user with a non suspicious url that looks something as simple like this.

http://www.paypal.com/myaccount/home/style.css

Towards the end of the account page url, there is a style sheet file. As soon as the cdn see this url, it thinks the user is requesting for a style sheet then it ll cache this url in the system, which will actually caches the my account page itself that followed in the url. Now check this same url in the Firefox browser, you could see the entire cached page with account information in Firefox. The immense threat of this type of attack is that the web cache can also cache the vulnerable information such as session id and tokens that results the hacker to entirely take over the account.

​​​​​​​​

Comments (0)
Leave a Comment