coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [#3362] No subject

Browse Source
This commit is contained in:
CPol 2022-08-12 16:57:56 +00:00 committed by gitbook-bot
parent 78b7292023
commit b44bf643b0
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
2 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
network-services-pentesting/pentesting-web/special-http-headers.md
View File

@ -74,6 +74,7 @@ A hop-by-hop header is a header which is designed to be processed and consumed b
* **`Cache-Control`** indicates if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
* **`Vary`** is often used in the response to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed.
* **`Age`** defines the times in seconds the object has been in the proxy cache.
* **`Server-Timing: cdn-cache; desc=HIT`** also indicates that a resource was cached
{% content-ref url="../../pentesting-web/cache-deception.md" %}
[cache-deception.md](../../pentesting-web/cache-deception.md)

22
pentesting-web/cache-deception.md
View File

@ -36,9 +36,18 @@ The poisoned response will only be served to users who visit the affected page w
In order to perform a cache poisoning attack you need first to **identify unkeyed inputs** (parameters not needed to appear on the the cached request but that change the returned page), see **how to abuse** this parameter and **get the response cached**.
### Identify and evaluate unkeyed inputs
### Discovery: Check HTTP headers
You could use [Param Miner](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:
Usually when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
### Discovery: Caching 400 code
If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code** , you know it's vulnerable (and you could even perform a DoS).\
_Note that sometimes these kind of status code aren't cached so this test will be useless._
### Discovery: Identify and evaluate unkeyed inputs
You could use [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load script from there:
```markup
<script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
@ -197,7 +206,14 @@ Sending a header containing an illegal character, `\` would cause a cacheable 40
The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access w\_ww.example.com/profile.php/nonexistent.js\_ the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access `www.example.com/profile.php/nonexistent.js` the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.\
Other things to test:
* _www.example.com/profile.php/.js_
* _www.example.com/profile.php/.css_
* _www.example.com/profile.php/test.js_
* _www.example.com/profile.php/../test.js_
* _www.example.com/profile.php/%2e%2e/test.js_
Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
In the example it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ (**with the users sensitive information**) is going to be returned and the cache server is going to save the result.\