A security researcher, Mr. Omer Gil initially proposed Web cache deception attack in 2017. This attack takes advantage of the caching functionality in the webserver to extract sensitive user data.
Caching is a method used to reduce the load and time to respond to a web server. This attack mainly focuses on the configuration of caching features. If these configurations are misused, then it may lead to caching of contents that were not supposed to be cached.
We will get into the details of the attack point by point.
Initially, whatever request is made to the server, the connection of this request goes through a CDN (Content delivery networks). They are nothing but a geographically distributed network of proxy servers and data centers. It is implemented to gain high availability and performance by distributing the service semantically relative to the end-users. The edge servers are scattered across the world. These stored cache local copies of web content provide faster access to users, thus reducing the load on the web servers.
Edge servers are powerful computers put at the “edge” of a network where data computation needs to happen. They are physically close to the systems or applications that are creating the data being stored on, or being used by the server.
The general and most basic rule of caching is that the cached items should not contain any private or user-specific data. Ideally, static content like images, CSS files, pdf files, etc. should be cached considered as the cached content i.e., the content which is not user-specific. All those requests which are dynamic and request the user-specific data are routed to the main servers. This basic rule of caching the non-user-specific data is implemented for security reasons. As web servers, these cache servers don’t have any mechanisms for identifying any authenticated users, and these checks are provided to avoid access to unauthorized data.
As stated above, any request made by a user to the server over the internet may go through proxies or may be processed by several caching techniques, that include the number of CDN’s and centralized server-side caches, before it finally reaches the origin of the webserver.
In a typical Web cache deception attack, the attacker first searches a page that contains highly sensitive data such as a setting page. Then, the request is prompted to have a web caching service, such as a load balancer, reverse proxy, CDN, or other similar services, to interpret the request differently than the main web server.
Here the attacker will try to cache content that would not have been cached in any normal circumstances. Some of the web applications, especially with a non-existent object, a request will try to process it with a similar object reference if any exist. Then, the attacker will add a dynamic URL with a non-existent page or file which most probably will end in a cacheable file such as jpg, CSS, and more.
For Example:
The figure below shows the summarized process explained till now.
Figure: Web cache deception using path confusion
Web cache deception can cause various attacks, such as
Web cache deception mainly arises when the cache is configured poorly. The configurations of the web cache are specific to application requirements. Thus, the recommendations are also mostly application-specific. But the following are some of the generic recommendations which might mitigate to some extent but fully.
Thank you.
Author
Pralekya Hirmalwar
Attack&Pentest Team
Varutra Consulting Pvt. Ltd.
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…
Android penetration testing is a crucial aspect of ensuring the security of Android applications and…
In today's interconnected world, where cybersecurity is of paramount importance, password security plays a crucial…
Introduction to Web & Mobile Application Security Assessment Web and Mobile applications have become an…