Exploiting path delimiters for web cache deception

Hacking Truth
0

 

Exploiting path delimiters for web cache deception


Cache means not catch!! Cache its a different means web cache deception its a vulnerability that enables to attacker to store sensitive, dynamic content and its cause by discrepancies between how the cache server and origin server handle the request.

Let's simply describe about this vulnerability and what is it?  A web cache system is sit between the origin server and user. If a client request a static resource, the request is first directed to the cache. If the cache doesn't containt a copy of the resource (known as the cache miss) , that time cache is forwarded to the origin server, which process and respond to the request. The response is then sent to the cache before being sent to the user. The cache uses a pre-configured set of rules to determine whether to store the response. 

when a request for the same static resources is made in the future, the cache store the saved copy to the response directly to the user (known as  a cache hit).



image credit portswigger



For More information - Click Here 


Delimiters specify boundaries between different URLs. The use of Characters and strings is generally  separate the URL like path from the query string. For example ? is the use for separate the URL.

Discrepancies in how the cache and the origin server use characters and strings as the delimiters can result in web cache deception vulnerabilities. example - /gallery;foo.js.

after ; semicolon it as  part of the path. if the cache has a rule to store responses for requests ending in .css. It might cache and server the profile information as if it were a CSS file.

# /gallery - This request is processed by the default HTML formatter, which returns the user profile information.

# a /gallery.css - The request is recognized as a CSS extension. There isn't a CSS formatter, so the request isn't accepted andn error is returned. 


NOTE - Encoded characters may also sometimes be used as delimiters. For example, consider the request /gallery%00foo.js



Exploiting delimiter discrepancies

You are able to use delimiter discrepancy to add a static extension to the path that is viewed by the cache, but not the origin server. You need to identify a character that is used as a delimiter by the origin server but not the cache.

Firstly find characters that are used as a delimiters by the origin server, start this process by the adding an arbitary string to the URL of your target endpoint. For example, modify /settings/users/list to /settings/users/listaaa.  You'll use this response as a reference when you start testing delimiter characters.

Note : If the response is identical to the original response, this indicates that the request is being redirected. You'll need to choose a different endpoint to test.

Next, add a possible delimiter character between the original path and the arbitrary string, for example /settings/users/list;aaa:

# If the response is identical to the base response, this indicates that the ; character is used as a delimiter and the origin server interprets the path as /settings/users/list.

# If it matches the response to the path with the arbitrary string, this indicates that the ; character isn't used as a delimiter and the origin server interprets the path as /settings/users/list;aaa.


Once you've identified delimiters that are used by the origin server, test whether they're also used by the cache. To do this, add a static extension to the end of the path. If the response is cached, this indicates:

# That the cache doesn't use the delimiter and interprets the full URL path with the static extension.

# That there is a cache rule to store responses for requests ending in .js.


Make sure to test all ASCII characters and a range of common extensions, including .css, .ico, and .exe. 

You can then construct an exploit that triggers the static extension cache rule. For example, consider the payload /settings/users/list;aaa.js. The origin server uses ; as a delimiter:

# The cache interprets the path as: /settings/users/list;aaa.js

# The origin server interprets the path as: /settings/users/list


The origin server returns the dynamic profile information.


Let's start through the lab practice-





After enabiling Proxy setup, Open burp suite and do intercept option start.






After that we have to go my account option and simple see in your burp suite , its intercept the URL in burp suite. 








But you can not get easily anything, but never give up.  so simple proced with below the ULR as you can see this. After some seconds you have to turn off  the proxy and go to burp suite.











as you can see in below image (need to go in HTTP proxy tab) request has arrived. GET /my-account  and see the request tab.


Cache Poisioning It's important to distinguish web cache deception from web cache poisoning. While both exploit caching mechanisms, But its a little bit different. - Create your own Arp cache poisioning - CLICK HERE










Then, go back to web page (lab page) and simple type the username and password wiener : peter and again Turn on the proxy and intercept the HTTP request .






Login is done now if you want you can turn off the proxy in chrome browser (by the way why i am doing this again n again n again because of you have to intercept what you wanted to but sometimes the page still keeps loading thats why



Exploiting path delimiters for web cache deception



Now you will see that you have got API 




Exploiting path delimiters for web cache deception


Now on that same page edit the URL  and simple add the some kind of alphabet name like (in our case aaa.js) and hit enter.

https://0a57008903714a5485c3b587002f00df.web-security-academy.net/my-account




https://0a57008903714a5485c3b587002f00df.web-security-academy.net/my-accountaaa.js

Note : If the response is identical to the original response, this indicates that the request is being redirected. You'll need to choose a different endpoint to test.





Exploiting path delimiters for web cache deception



After hitting on the URL you have to check intercept HTTP history.



Exploiting path delimiters for web cache deception



and as you can see below image still x-cache : miss  is coming but after that again you need to send the repeater section.



Exploiting path delimiters for web cache deception



Exploiting path delimiters for web cache deception






and send the request and see in right side still coming x-cache : miss but again n again send the request and finally you will get x-cache: hit .

But what does it mean let's check in our BLOG - click Here 



Exploiting path delimiters for web cache deception





Exploiting path delimiters for web cache deception



Sent into intruder section -



Exploiting path delimiters for web cache deception



Now in intruder section we will highlight the string and insert a new payload maker (add).






Exploiting path delimiters for web cache deception




Exploiting path delimiters for web cache deception




Now paste the delimiter in payload section and trying as a brute force attack to serach a delimiter (arbitrary string, this indicates that the ; character isn't used as a delimiter and the origin server interprets the path as /my-account;aa.js)


Web cache deception lab delimiter list - Click Here 





Exploiting path delimiters for web cache deception




Exploiting path delimiters for web cache deception




before starting the attack please untick the box  URL- encode characters ....




Exploiting path delimiters for web cache deception



Now you have to see delimiter ; semicolon status code 200 thats mean its okay we have to move forward wtih this delimiter ;  and send to repeater section



Exploiting path delimiters for web cache deception



and send the request in repeater section until n unless when x-cache:hit will not coming.



Exploiting path delimiters for web cache deception







Exploiting path delimiters for web cache deception



after that copy the URL and go to lab's exploit server and paste into body section.







Exploiting path delimiters for web cache deception



and javascript window.location means returns a location object with information about the current location of the document with different name like aa.js to  123.js and deliver exploit to victim.









Exploiting path delimiters for web cache deception



After that check in view exploit and  vOLA yES!!! we got it  carlos's API key and put it into solution  box.



Exploiting path delimiters for web cache deception




Exploiting path delimiters for web cache deception


so finally our lab is solved.




 



Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !