4.16. Web Cache Spoofing Attack

4.16.1. Introduction

Websites usually implement web caching functions such as CDNs, load balancers, or reverse proxies. Reduce server response latency by caching frequently accessed files.

For example, a website htttp://www.example.com is configured with a reverse proxy. For those pages that contain user personal information, for example http://www.example.com/home.php, because each user returns different content, such pages are usually generated dynamically and are not cached in the cache server. Usually, the cache is mainly for publicly accessible static files, such as css files, js files, txt files, pictures, and so on. Additionally, many best practice articles recommend caching static files that are publicly accessible and ignoring HTTP cache headers.

Web cache attacks are similar to RPO relative path rewriting attacks, both of which depend on how browsers and servers parse URLs. When accessing a non-existing URL, for example http://www.example.com/home.php/non-existent.css, the browser sends a get request, depending on the technology and configuration used, the server returns content of http://www.example.com/home.php, while the URL address is still the same http://www.example.com/home.php/non-existent.css and the content of the http header is the same as http://www.example.com/home.php, caching header, The content-type (here text/html) is also the same.

4.16.2. Vulnerability Causes

When a proxy server is set to cache static files and ignore the caching header, then access http://www.example.com/home.php/no-existent.css, what will happened?The entire response process is as follows:

  1. browser requests http://www.example.com/home.php/no-existent.css ;

  2. The content of http://www.example.com/home.php will be returned by the server (usually the page is not cached) ;

  3. The response goes through a proxy server;

  4. The agent recognizes that the file has a css suffix;

  5. Under the cache directory, the proxy server creates a director home.php,and the returned content will save as non-existent.css

4.16.3. Vulnerability Exploitation

The attacker deceives the user to visit http://www.example.com/home.php/logo.png?www.myhack58.com,causing the page containing the user’s personal information to be cached so that it can be publicly accessed. In more serious cases, if the returned content contains session identifiers, answers to security questions, or csrf tokens. This way the attacker can then obtain this information, since in general most of the website’s static resources are publicly accessible.

4.16.4. Conditions for the existence of vulnerabilities

For a vulnerability to exist, at least the following two conditions must be met:

  1. The web cache function saves according to the extension and ignores the cache header;

  2. When visiting such as http://www.example.com/home.php/non-existent.css a page that not exist,the content of home.php will be returned.

4.16.5. Vulnerability Defense

Defense measures mainly include 3 points:

  1. Set the caching mechanism to only cache files allowed by the http caching header, which can fundamentally eliminate the problem;

  2. If the cache component provides options, set to cache based on content-type;

  3. Accessing such as http://www.example.com/home.php/non-existent.css a non-existent page will not return the content of``home.php``,but return 404 or 302.

4.16.6. Web Cache spoofing attack example

4.16.6.1. Paypal

Before Paypal is repaired, the information that can be obtained through this attack includes: user name, account amount, the last 4 digits of the credit card, transaction data, email address and other information. Some of the pages affected by the attack include:

  • https://www.paypal.com/myaccount/home/attack.css

  • https://www.paypal.com/myaccount/settings/notifications/attack.css

  • https://history.paypal.com/cgi-bin/webscr/attack.css?cmd=_history-details