Cache means not catch!! Cache its a different means web cache deception its a vulnerability that enables to attacker to store sensitive, dynamic content and its cause by discrepancies between how the cache server and origin server handle the request.
Let's simply describe about this vulnerability and what is it? A web cache system is sit between the origin server and user. If a client request a static resource, the request is first directed to the cache. If the cache doesn't containt a copy of the resource (known as the cache miss) , that time cache is forwarded to the origin server, which process and respond to the request. The response is then sent to the cache before being sent to the user. The cache uses a pre-configured set of rules to determine whether to store the response.
when a request for the same static resources is made in the future, the cache store the saved copy to the response directly to the user (known as a cache hit).
For More information - Click Here
Delimiters specify boundaries between different URLs. The use of Characters and strings is generally separate the URL like path from the query string. For example ? is the use for separate the URL.
Discrepancies in how the cache and the origin server use characters and strings as the delimiters can result in web cache deception vulnerabilities. example - /gallery;foo.js.
after ; semicolon it as part of the path. if the cache has a rule to store responses for requests ending in .css. It might cache and server the profile information as if it were a CSS file.
# /gallery - This request is processed by the default HTML formatter, which returns the user profile information.
# a /gallery.css - The request is recognized as a CSS extension. There isn't a CSS formatter, so the request isn't accepted andn error is returned.
NOTE - Encoded characters may also sometimes be used as delimiters. For example, consider the request /gallery%00foo.js:
Exploiting delimiter discrepancies
You are able to use delimiter discrepancy to add a static extension to the path that is viewed by the cache, but not the origin server. You need to identify a character that is used as a delimiter by the origin server but not the cache.
Firstly find characters that are used as a delimiters by the origin server, start this process by the adding an arbitary string to the URL of your target endpoint. For example, modify /settings/users/list to /settings/users/listaaa. You'll use this response as a reference when you start testing delimiter characters.
Note : If the response is identical to the original response, this indicates that the request is being redirected. You'll need to choose a different endpoint to test.
# If the response is identical to the base response, this indicates that the ; character is used as a delimiter and the origin server interprets the path as /settings/users/list.
# If it matches the response to the path with the arbitrary string, this indicates that the ; character isn't used as a delimiter and the origin server interprets the path as /settings/users/list;aaa.
Once you've identified delimiters that are used by the origin server, test whether they're also used by the cache. To do this, add a static extension to the end of the path. If the response is cached, this indicates:
# That the cache doesn't use the delimiter and interprets the full URL path with the static extension.
# That there is a cache rule to store responses for requests ending in .js.
Make sure to test all ASCII characters and a range of common extensions, including .css, .ico, and .exe.
You can then construct an exploit that triggers the static extension cache rule. For example, consider the payload /settings/users/list;aaa.js. The origin server uses ; as a delimiter:
# The cache interprets the path as: /settings/users/list;aaa.js
# The origin server interprets the path as: /settings/users/list
The origin server returns the dynamic profile information.
Let's start through the lab practice-
After enabiling Proxy setup, Open burp suite and do intercept option start.
After that we have to go my account option and simple see in your burp suite , its intercept the URL in burp suite.
But you can not get easily anything, but never give up. so simple proced with below the ULR as you can see this. After some seconds you have to turn off the proxy and go to burp suite.
as you can see in below image (need to go in HTTP proxy tab) request has arrived. GET /my-account and see the request tab.
Cache Poisioning It's important to distinguish web cache deception from web cache poisoning. While both exploit caching mechanisms, But its a little bit different. - Create your own Arp cache poisioning - CLICK HERE
Then, go back to web page (lab page) and simple type the username and password wiener : peter and again Turn on the proxy and intercept the HTTP request .
Login is done now if you want you can turn off the proxy in chrome browser (by the way why i am doing this again n again n again because of you have to intercept what you wanted to but sometimes the page still keeps loading thats why)
Now you will see that you have got API
Now on that same page edit the URL and simple add the some kind of alphabet name like (in our case aaa.js) and hit enter.
https://0a57008903714a5485c3b587002f00df.web-security-academy.net/my-account
https://0a57008903714a5485c3b587002f00df.web-security-academy.net/my-accountaaa.js
Note : If the response is identical to the original response, this indicates that the request is being redirected. You'll need to choose a different endpoint to test.
After hitting on the URL you have to check intercept HTTP history.
and as you can see below image still x-cache : miss is coming but after that again you need to send the repeater section.
and send the request and see in right side still coming x-cache : miss but again n again send the request and finally you will get x-cache: hit .
But what does it mean let's check in our BLOG - click Here
Sent into intruder section -
Now in intruder section we will highlight the string and insert a new payload maker (add).
Now paste the delimiter in payload section and trying as a brute force attack to serach a delimiter (arbitrary string, this indicates that the ; character isn't used as a delimiter and the origin server interprets the path as /my-account;aa.js)
Web cache deception lab delimiter list - Click Here
Now you have to see delimiter ; semicolon status code 200 thats mean its okay we have to move forward wtih this delimiter ; and send to repeater section
and send the request in repeater section until n unless when x-cache:hit will not coming.
after that copy the URL and go to lab's exploit server and paste into body section.
After that check in view exploit and vOLA yES!!! we got it carlos's API key and put it into solution box.
so finally our lab is solved.
Disclaimer
All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.