{"id":16792,"date":"2021-08-26T12:51:27","date_gmt":"2021-08-26T07:21:27","guid":{"rendered":"https:\/\/www.varutra.com\/?p=16792"},"modified":"2022-12-02T12:21:20","modified_gmt":"2022-12-02T06:51:20","slug":"web-cache-deception","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/web-cache-deception\/","title":{"rendered":"WEB CACHE DECEPTION"},"content":{"rendered":"

<\/p>\n

Introduction:<\/strong><\/h3>\n

A security researcher, Mr. Omer Gil initially proposed Web cache deception attack in 2017. This attack takes advantage of the caching functionality in the webserver to extract sensitive user data.<\/p>\n

<\/h4>\n

What is Caching?<\/strong><\/h3>\n

Caching is a method used to reduce the load and time to respond to a web server. This attack mainly focuses on the configuration of caching features. If these configurations are misused, then it may lead to caching of contents that were not supposed to be cached.<\/p>\n

We will get into the details of the attack point by point.<\/p>\n

<\/h4>\n

Request processing and CDN:<\/strong><\/h3>\n

Initially, whatever request is made to the server, the connection of this request goes through a CDN (Content delivery networks). They are nothing but a geographically distributed network of proxy servers and data centers. It is implemented to gain high availability and performance by distributing the service semantically relative to the end-users. The edge servers are scattered across the world. These stored cache local copies of web content provide faster access to users, thus reducing the load on the web servers.<\/p>\n

Edge servers are powerful computers put at the \u201cedge\u201d of a network where data computation needs to happen. They are physically close to the systems or applications that are creating the data being stored on, or being used by the server.<\/p>\n

The general and most basic rule of caching is that the cached items should not contain any private or user-specific data. Ideally, static content like images, CSS files, pdf files, etc. should be cached considered as the cached content i.e., the content which is not user-specific. All those requests which are dynamic and request the user-specific data are routed to the main servers. This basic rule of caching the non-user-specific data is implemented for security reasons. As web servers, these cache servers don\u2019t have any mechanisms for identifying any authenticated users, and these checks are provided to avoid access to unauthorized data.<\/p>\n

<\/h4>\n

The Working of Web Cache Deception: <\/strong><\/h3>\n

As stated above, any request made by a user to the server over the internet may go through proxies or may be processed by several caching techniques, that include the number of CDN\u2019s and centralized server-side caches, before it finally reaches the origin of the webserver.<\/p>\n

In a typical Web cache deception attack, the attacker first searches a page that contains highly sensitive data such as a setting page. Then, the request is prompted to have a web caching service, such as a load balancer, reverse proxy, CDN, or other similar services, to interpret the request differently than the main web server.<\/p>\n

Here the attacker will try to cache content that would not have been cached in any normal circumstances. Some of the web applications, especially with a non-existent object, a request will try to process it with a similar object reference if any exist. Then, the attacker will add a dynamic URL with a non-existent page or file which most probably will end in a cacheable file such as jpg, CSS, and more.<\/p>\n

For Example: <\/strong><\/p>\n