The first step is to identify unkeyed inputs. Rather than attempt to explain this in depth upfront, I'll give a quick overview then demonstrate it being applied to real websites. We'll use the following methodology to find cache poisoning vulnerabilities: Please note that web caches also enable a different type of attack called Web Cache Deception which should not be confused with cache poisoning. This isn't the only way of poisoning caches - you can also use HTTP Response Splitting and Request Smuggling - but it is the most reliable. In this paper, we're going to poison caches using unkeyed inputs like HTTP headers. The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. This causes a healthy number of accidental breakages, but the fun really starts when someone intentionally sets out to exploit it. in practice, the Vary header is only used in a rudimentary way, CDNs like Cloudflare ignore it outright, and people don't even realise their application supports any header-based input. In theory, sites can use the 'Vary' response header to specify additional request headers that should be keyed. This hints at the problem – any difference in the response triggered by an unkeyed input may be stored and served to other users. This means that caches think the following two requests are equivalent, and will happily respond to the second request with a response cached from the first: GET /blog/post.php?mobile=1 HTTP/1.1Ĭonnection: close GET /blog/post.php?mobile=1 HTTP/1.1Īs a result, the page will be served in the wrong language to the second visitor. In the request above, I've highlighted the values included in a typical cache key in orange.
PUG TEMPLATE CACHE FULL
Identifying whether two requests are trying to load the same resource can be tricky requiring that the requests match byte-for-byte is utterly ineffective, as HTTP requests are full of inconsequential data, such as the requester's browser: GET /blog/post.php?mobile=1 HTTP/1.1Ĭaches tackle this problem using the concept of cache keys – a few specific components of a HTTP request that are taken to fully identify the resource being requested. The concept of caching might sound clean and simple, but it hides some risky assumptions. Whenever a cache receives a request for a resource, it needs to decide whether it has a copy of this exact resource already saved and can reply with that, or if it needs to forward the request to the application server. There are also other types of cache, such as client-side browser caches and DNS caches, but they're not the focus of this research. Also, some popular web applications and frameworks like Drupal have a built-in cache.
PUG TEMPLATE CACHE SOFTWARE
Some companies host their own cache using software like Varnish, and others opt to rely on a Content Delivery Network (CDN) like Cloudflare, with caches scattered across geographical locations. In the diagram below, we can see three users fetching the same resource one after the other:Ĭaching is intended to speed up page loads by reducing latency, and also reduce load on the application server. Web caches sit between the user and the application server, where they save and serve copies of certain responses. To grasp cache poisoning, we'll need to take a quick look at the fundamentals of caching. You can also watch my presentation on this research, or peruse it as a printable whitepaper. I'll wrap up by discussing defense against cache poisoning, and releasing the open source Burp Suite Community extension that fueled this research. I'll illustrate and develop this technique with vulnerabilities that handed me control over numerous popular websites and frameworks, progressing from simple single-request attacks to intricate exploit chains that hijack JavaScript, pivot across cache layers, subvert social media and misdirect cloud services.
PUG TEMPLATE CACHE HOW TO
In this paper I'll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage. Web cache poisoning has long been an elusive vulnerability, a 'theoretical' threat used mostly to scare developers into obediently patching issues that nobody could actually exploit.