Exploiting path mapping for web cache deception Lab

Hacking Truth
0

 

Exploiting path mapping for web cache deception Lab


Cache means not catch!! Cache its a different means web cache deception its a vulnerability that enables to attacker to store sensitive, dynamic content and its cause by discrepancies between how the cache server and origin server handle the request.

Let's simply describe about this vulnerability and what is it?  A web cache system is sit between the origin server and user. If a client request a static resource, the request is first directed to the cache. If the cache doesn't containt a copy of the resource (known as the cache miss) , that time cache is forwarded to the origin server, which process and respond to the request. The response is then sent to the cache before being sent to the user. The cache uses a pre-configured set of rules to determine whether to store the response. 

when a request for the same static resources is made in the future, the cache store the saved copy to the response directly to the user (known as  a cache hit).


credit portswigger
image credit portswigger



Apart from that you can use even mostly trying to use CDN content delivery networks with the widespread use of CDN , which use caching to store copies of content on distributed servers all over the world. CDN speed of delivery by serving the content from the server closets to the server.



Cache keys


When the cache receives an HTTP request, it must decide whether there is a cached response that it can serve directly, or whether it has to forward the request to the origin server. The cache makes this decision by generating a 'cache key' from elements of the HTTP request. Typically, this includes the URL path and query parameters, but it can also include a variety of other elements like headers and content type.



Cache Rules 


# Static file extension rules - These rules match the file extension of the requested resource, for example .css for stylesheets or .js for JavaScript files.

# Static directory rules - These rules match all URL paths that start with a specific prefix. These are often used to target specific directories that contain only static resources, for example /static or /assets.

# File name rules - These rules match specific file names to target files that are universally required for web operations and change rarely, such as robots.txt and favicon.ico.



Detecting cached responses


During testing, it's crucial that you're able to identify cached responses. Diff diff response headers may indicate that it is cached. For example:

The X-Cache header provides information about whether a response was served from the cache. Typical values include:

# X-Cache: hit - The response was served from the cache.

# X-Cache: miss - The cache did not contain a response for the request's key, so it was fetched from the origin server. In most cases, the response is then cached. To confirm this, send the request again to see whether the value updates to hit.

# X-Cache: dynamic - The origin server dynamically generated the content. Generally this means the response is not suitable for caching.

# X-Cache: refresh - The cached content was outdated and needed to be refreshed or revalidated.

The Cache-Control header may include a directive that indicates caching, like public with a max-age higher than 0. Note that this only suggests that the resource is cacheable. It isn't always indicative of caching, as the cache may sometimes override this header.


Exploiting path mapping for web cache deception Lab

Exploiting path mapping for web cache deception Lab





Exploiting Cache


Cache rules often target static resources by matching common file extensions like .css or .js. This is the default behavior in most CDNs.

If there are discrepancies in how the cache and origin server map the URL path to resources or use delimiters, an attacker may be able to craft a request for a dynamic resource with a static extension that is ignored by the origin server but viewed by the cache

http://example.com/user/123/profile/abc.js


An origin server using REST-style URL mapping may interpret this as a request for the /user/123/profile endpoint and returns the profile information for user 123, ignoring abc.js as a non-significant parameter.

A cache that uses traditional URL mapping may view this as a request for a file named abc.js located in the /profile directory under /user/123. It interprets the URL path as /user/123/profile/abc.js. If the cache is configured to store responses for requests where the path ends in .js, it would cache and serve the profile information as if it were a JS or CSS file.

Caches may have rules based on specific static extensions. Try a range of extensions, including .css, .ico, and .exe.


Now its time to do complete the Lab and Learn in practical mode - Be practice - CLICK Here



Lets do this first of all whatever you want to use proxy but you can use FoxyProxy. Its a extension for Burp suite and working as a proxy. You can easily add the extension for chrome or mozila  whatever you want to use in diff diff browser.

Lets enable this - 


Exploiting path mapping for web cache deception Lab



After enabiling Proxy setup, Open burp suite and do intercept option start.



Exploiting path mapping for web cache deception Lab

After that we have to go my account option and simple see in your burp suite , its intercept the URL in burp suite. 



Exploiting path mapping for web cache deception Lab



But you can not get easily anything, but never give up.  so simple proced with below the ULR as you can see this. After some seconds you have to turn off  the proxy and go to burp suite.



Exploiting path mapping for web cache deception Lab


as you can see in below image (need to go in HTTP proxy tab) request has arrived. GET /my-account  and see the request tab.


Cache Poisioning It's important to distinguish web cache deception from web cache poisoning. While both exploit caching mechanisms, But its a little bit different. - Create your own Arp cache poisioning - CLICK HERE





Exploiting path mapping for web cache deception Lab



Then, go back to web page (lab page) and simple type the username and password wiener : peter and again Turn on the proxy and intercept the HTTP request .



Exploiting path mapping for web cache deception Lab


Login is done now if you want you can turn off the proxy in chrome browser (by the way why i am doing this again n again n again because of you have to intercept what you wanted to but sometimes the page still keeps loading thats why



Exploiting path mapping for web cache deception Lab



Now you will see that you have got API 



Exploiting path mapping for web cache deception Lab




Now on that same page edit the URL  and simple add the some kind of JS or CSS extension file name like (in our case 12.js) and hit enter.



Exploiting path mapping for web cache deception Lab



Exploiting path mapping for web cache deception Lab


https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js


and you will see there its intercepting the HTTP request in burp suite.




Exploiting path mapping for web cache deception Lab




Simply click on it and see the response x-cache miss  and after that send into repeater.



Exploiting path mapping for web cache deception Lab





Exploiting path mapping for web cache deception Lab



As i have to told you above about x-cache : miss  x-cache : hit. Please be carefully to read the each and every sentence.

After that in repeater tab you simply send the request if you have to see like again x-cache : miss in response side then wait 30-40 seconds and send again the request and see the response.



Exploiting path mapping for web cache deception Lab





Exploiting path mapping for web cache deception Lab



After 30-40 sec you need to try again to send the request and see the response in right side. Now you can see that x-cache : hit (The response was served from the cache.)




Exploiting path mapping for web cache deception Lab



Now copy the whole URL and turn off the proxy  and go to exploit server options page.



Exploiting path mapping for web cache deception Lab




Exploiting path mapping for web cache deception Lab




Exploiting path mapping for web cache deception Lab




and copy our code and paste into body section.


<script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js"</script>

Or you reverse the js file name like that 


<script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/21.js"</script>


Then, Delivery exploit to victim.



Exploiting path mapping for web cache deception Lab





Exploiting path mapping for web cache deception Lab




after that  click on View exploit OR  simple copy the <script>window.location="https://0aa7003d04c35ca280a8eeac008b0054.web-security-academy.net/my-account/12.js"</script>


and open in new tab browser.



Exploiting path mapping for web cache deception Lab



Notice that the response includes the API key for carlos. Copy this.



Exploiting path mapping for web cache deception Lab



Click Submit solution, then submit the API key for carlos to solve the lab.




Exploiting path mapping for web cache deception Lab




Exploiting path mapping for web cache deception Lab




Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

 

 



Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !