Web Cache Poisoning | Shahul Hameed

What is Web Cache Poisoning

Web cache poisoning is a type of web security vulnerability in which an attacker manipulates the contents of a web cache to serve malicious content to unsuspecting users. This is achieved by injecting specially crafted HTTP requests into the web application or server, causing the cache to store the attacker's malicious content. When users subsequently access that content, they may unknowingly be served the attacker's malicious version, potentially leading to a range of security issues. 



PRE - Requirement:
 Param Miner extension in burp suite.

Scope Vulnerability:
https://34d8a6c9.poison.digi.ninja:2443/basic.php

Step 1: Install Extension on burp suite (Already, I am installed on my Burpsuite)



Step 2: Intercept the application request and forward it to the repeater for exploiting purposes and finding the unkeyed inputs which vulnerable to web cache poison.

Send the requests multiple times and check the extension to find the vulnerable headers or parameters(Unkeyed inputs).







Step 3: Let's try to inject a payload on the identified header (X-Forwarded-Host).


Step 4: Refresh your application page and the injected payload will pop up on the application due to being stored in the cache server.



What are the parameters to look for?

There are several parameters that can be vulnerable to web caching, including:

1. HTTP headers: HTTP headers are used to pass additional information between a client and a server. However, if an attacker is able to manipulate these headers, they can potentially inject malicious content into the web cache.

2. Query strings: Query strings are used to pass parameters in a URL, and can be vulnerable to caching if the web application or server does not properly handle caching of URLs with query strings.

3. Cookies: Cookies are used to store user-specific information, and can be cached by a web application or server. If an attacker is able to manipulate cookies, they can potentially inject malicious content into the cache.

4. POST data: POST data is used to send data from a client to a server, and can be vulnerable to caching if the web application or server does not properly handle caching of POST requests.

5. URL fragments: URL fragments are used to specify a specific section of a web page to display. However, if an attacker is able to manipulate these fragments, they can potentially inject malicious content into the cache.

It is important for web application developers and server administrators to properly handle caching of these parameters to prevent web cache poisoning attacks. This can be achieved through proper input validation and sanitization, as well as implementing appropriate cache control headers to ensure that sensitive information is not cached.

Impact of the vulnerability:

1. Information theft: An attacker may be able to steal sensitive information, such as login credentials or personal information, from unsuspecting users by injecting fake login pages or other types of phishing content into the cache.

2. Malware installation: Malicious content injected into the cache may include malware downloads, which can infect users' devices and compromise their security.

3. Unauthorized access: If an attacker is able to inject content into the cache, they may be able to gain unauthorized access to the web application or server, potentially compromising sensitive data or functionality.

4. Denial of service: Web cache poisoning attacks can be used to launch denial of service attacks, by flooding the cache with malicious content and rendering the web application or server unavailable.

5. Reputation damage: If a web application or server is compromised by a web cache poisoning attack, it can damage the organization's reputation and erode user trust.

Overall, web cache poisoning can have serious consequences for both individuals and organizations, making it essential to implement appropriate security measures to prevent these types of attacks.

Prevention:

1. Input validation and sanitization: Proper input validation and sanitization can help prevent attackers from injecting malicious content into the web application or server.

2. Cache control headers: Implementing appropriate cache control headers can help ensure that sensitive information is not cached, and can prevent attackers from injecting malicious content into the cache.

3. HTTPS encryption: Implementing HTTPS encryption can help protect against man-in-the-middle attacks, which can be used to inject malicious content into the cache.

4. Regular security updates: Keeping web applications and servers up to date with the latest security patches can help prevent vulnerabilities that can be exploited by attackers.

5. Access control: Implementing appropriate access control measures, such as authentication and authorization, can help prevent attackers from gaining unauthorized access to the web application or server.

6. Content security policy: Implementing a content security policy can help prevent cross-site scripting (XSS) attacks, which can be used to inject malicious content into the cache.

7. Security testing: Regular security testing, such as penetration testing and vulnerability scanning, can help identify and address vulnerabilities that can be exploited by attackers.

By implementing these measures, organizations can help prevent web cache poisoning attacks and protect against the potential impact of these types of attacks.

Code Level:

<?php
header('Cache-Control: no-cache, no-store, must-revalidate'); // Tells the browser not to cache any content
header('Pragma: no-cache'); // Tells the browser not to cache any content
header('Expires: 0'); // Tells the browser not to cache any content

// Other code for your web application goes here...
?>






Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

Janus Vulnerability Exploitation

Image
  Janus Vulnerability(Exploitation) In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability. Step 1: Use the  apksigner tool and verify the signature v1 is only true , Hence it's highly possible to exploit the Janus vulnerability in the android application. CMD: apksigner verify -verbose h5.apk(Victim app) Before that we need to make sure that this application can be made to run on vulnerable Android versions  5.x, 6.x, 7.x & 8.0 (i.e., api level 21–26). Step 2:  Now let's check with min android version running on the application use apktool . CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from  5.x, 6.x, 7.x & 8.0  to exploit it. A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the sig
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more