![Page 1: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/1.jpg)
Cache Me If You CanExposing your application using caching features
Philippe ArteauSecurity Researcher for GoSecure
![Page 2: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/2.jpg)
$ whoami
• Philippe Arteau
• Security Researcher at GoSecure
• Open-source developer• Security Code Scan (Roslyn – Static Analysis for .NET)
• Find Security Bugs (SpotBugs - Static Analysis for Java)
• Burp and ZAP Plugins (Retire.js, CSP Auditor)
• Volunteer for the conference and former trainer
![Page 3: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/3.jpg)
Agenda
• Introduction
• Web Cache Deception
• ESI injection
• Cache poisoning
• Mitigations
![Page 4: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/4.jpg)
Cache server/kaSH ˈsərvər/
A cache server is a dedicated network server or service acting as a server that saves Web pages or other Internet content locally. By placing previously requested information in temporary storage, or cache, a cache server both speeds up access to data and reduces demand on an enterprise's bandwidth.
![Page 5: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/5.jpg)
Overview
The caching services covered will be mainly reverse proxy.CACHE-MISS
Cache service Web server
![Page 6: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/6.jpg)
New Cache Vulnerabilities Discovered
From 2017
• Web Cache Deception
• Cloudbleed
• Binary Webshell Through OPcache in PHP 7
From 2018
• Web Cache Poisoning
• Edge Side Include Injection
• Path Normalization Parser Logic Flaw (can apply to cache/proxy server)
Caching vulnerabilities taken from
"Top10 Web Hacking Techniques"
https://portswigger.net/blog/top-10-web-hacking-techniques-of-2018https://portswigger.net/blog/top-10-web-hacking-techniques-of-2017
![Page 7: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/7.jpg)
DemonstrationSimple caching mechanism
![Page 8: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/8.jpg)
Web Cache Deception
![Page 9: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/9.jpg)
Web Cache Deception
Discovered by Omer Gil in 2017
This allow an attacker to force to a specific user cache private information and view the cache later.
It takes of advantage of different path interpretation.
![Page 10: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/10.jpg)
Sample configuration
The demonstration will be using the following configuration
location ~* .+\.(ico|jpg|gif|jpeg|css|js|flv|png|swf)$ {
proxy_pass http://webapp;rewrite ^/(.*)$ /$1 break;
expires 10m;proxy_cache cache;proxy_cache_key $host$uri#is_args$args;proxy_cache_valid 200 304 12h;proxy_cache_valid 302 301 12h;proxy_cache_valid any 1m;
}
https://www.nginx.com/blog/nginx-caching-guide/https://serversforhackers.com/c/nginx-caching
![Page 11: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/11.jpg)
To cache or not to cache ?
Sensible information is available at a given path:
http://website.com/transactions.php
http://website.com/css/jquery.css
http://website.com/images/favicon.ico
http://website.com/files/song1.mp3
NOT CACHED
CACHED
CACHED
location ~* .+\.(ico|jpg|gif|jpeg|css|js|flv|png|swf)$ { […] }
NOT CACHED
![Page 12: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/12.jpg)
To cache or not to cache ? (part 2)
Sensible information is available at a given path:
http://website.com/transactions.php
http://website.com/transactions.css
http://website.com/transactions.php.css
http://website.com/test.css/%2E%2E/transactions.php
http://website.com/transactions.php/test.css
NOT CACHED
CACHED
CACHED
location ~* .+\.(ico|jpg|gif|jpeg|css|js|flv|png|swf)$ { […] }
NOT CACHED
CACHEDhttp://website.com/transactions.php/test.css
![Page 13: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/13.jpg)
Request flow
Cache server
GET /transactions.php/1.css
$$$
![Page 14: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/14.jpg)
Impacts
• Access to sensitive information• Private documents, images, etc.
• Transactions
• API Token
• Security questions
• Also leakage of CSRF Token• Action can be performed on behalf of users
![Page 15: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/15.jpg)
Is it language specific?
PHP : /page.php => /page.php/test.css
Python Django : /page => /page/test.css
ASP.net Web Forms : /page.aspx => /page.aspx/test.css
JSP pages : /page.jsp => /page.jsp;test.css
![Page 16: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/16.jpg)
DemonstrationWeb Cache Deception
NGINX + PHP
![Page 17: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/17.jpg)
Mitigations
![Page 18: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/18.jpg)
Cache-ControlReturn Cache-Control: private
on pages that return sensible information
PragmaReturn Pragma: no-cache
ExpiresReturn Expires: [past date]
![Page 19: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/19.jpg)
Content-Type Validation
The cache service can validate that the Content-Type returned match the extension.
• *.css text/css
• *.js text/javascript
• …
https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/
![Page 20: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/20.jpg)
ESI Injection
![Page 21: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/21.jpg)
ESI Injection
Discovered by Laurent Desaulniers and Louis Dion-Marcil in 2018
• Malicious use of XML cache directives place in HTTP response
![Page 22: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/22.jpg)
ESI Code Sample
Latest News:<esi:include src="/news_header.htm" />
Welcome to the website!
Cache service
Latest News:<div>Facebook shares drop on Tuesday by 2 percent.</div>
Welcome to the website!
GET /page
![Page 23: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/23.jpg)
Expected flow
ESI include tags
GET /page
Web server
<esi:includesrc=/news.htm/>
GET /page
Cache server
GET /news.htm
![Page 24: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/24.jpg)
Malicious flow
ESI include tags
GET /page?v=<esi:include src=‘x’>GET
/page?v=<esi:include src=‘x’>
Web server
<esi:include src=‘x’>
Cache server
ESIEvaluated
![Page 25: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/25.jpg)
Potential ESI instructions
<esi:include src="/page.htm"/>
<esi:vars>
$(HTTP_COOKIE{__AntiXsrfToken})
</esi:vars>
<esi:inline name="/news_page.html" fetchable="yes">
<script>prompt('Malicious script')</script>
</esi:inline>
<!esi-- -->
![Page 26: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/26.jpg)
DemonstrationESI:include leaking session cookie
![Page 27: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/27.jpg)
Mitigations
![Page 28: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/28.jpg)
Mitigations (ESI)
• Escape properly value return in HTML context in your web pages.• Framework/template automatic escaping should cover this case
• Verify that ESI is not enable on your cache service
• Avoid returning Surrogate-Control: content="ESI/1.0" on page that contains user content.
![Page 29: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/29.jpg)
Cache Poisoning
![Page 30: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/30.jpg)
Cache Poisoning
• Discovered by James Kettles from PortSwigger in 2018
• Use Caching server in order to propagate• Cross-Site Scripting (XSS)
• Open-redirect
• Other content poisoning (file download, resources, …)
It require vulnerabilities based on reflected HTTP header.
![Page 31: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/31.jpg)
Can we exploit this?
![Page 32: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/32.jpg)
DemonstrationCache poisoning
![Page 33: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/33.jpg)
What just happened?
Cache server
GET /xssme.php/1.cssHost: evil.com
<script src=evil.com../>
![Page 34: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/34.jpg)
Mitigations
![Page 35: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/35.jpg)
Mitigations (Cache Poisoning)
• Same as Cache Deception
• Also, considered the risk when “unexploitable” XSS are found.
![Page 36: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/36.jpg)
![Page 37: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/37.jpg)
In summary
• The cache services deployed can affect your application
• Review the configuration of those services• Features enable
• Regex for the caching resources to include
• Make sure cache headers are returned (Cache-Control, Pragma, ..) on authenticated page
![Page 39: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/39.jpg)
References
![Page 40: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/40.jpg)
Web Cache Deception
• http://omergil.blogspot.com/2017/02/web-cache-deception-attack.html
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf
![Page 41: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/41.jpg)
ESI Injection
• https://gosecure.net/2018/04/03/beyond-xss-edge-side-include-injection
• https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations
![Page 42: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/42.jpg)
Cache poisonning
• https://portswigger.net/blog/practical-web-cache-poisoning
• https://portswigger.net/blog/bypassing-web-cache-poisoning-countermeasures
![Page 43: Cache Me If You Can - GitHub Pages · New Cache Vulnerabilities Discovered From 2017 •Web Cache Deception •Cloudbleed •Binary Webshell Through OPcache in PHP 7 From 2018 •Web](https://reader036.vdocuments.us/reader036/viewer/2022062602/5ee00abfad6a402d666b4ccc/html5/thumbnails/43.jpg)
• Credit to Mike McDonald / Ember Studio for the Computers Icons