web cache poisoning attack - ties2/web-pentest GitHub Wiki
Web cache poisoning is an attack that targets the cache servers of web applications. It involves manipulating the content of a web application's cache in order to redirect users to malicious websites or to inject malicious content into legitimate pages. The attack can be used to steal sensitive information, spread malware, or conduct phishing scams. There are different types of web cache poisoning attacks, including:
This attack involves injecting a specially crafted HTTP header into a request to the web application, which is then stored in the cache. The attacker can then use this header to redirect users to a malicious site or to inject malicious content into the page. For example, an attacker could inject a header that redirects users to a phishing site that looks like the legitimate site.
This attack involves using directory traversal techniques to access files outside of the web application's root directory. By accessing files that are not intended to be public, the attacker can inject malicious code into the cache. For example, an attacker could access a file containing server-side code and modify it to include a script that redirects users to a malicious site.
This attack involves manipulating the query string of a URL to inject malicious code into the cache. The attacker can then use this code to redirect users to a malicious site or to inject malicious content into the page. For example, an attacker could inject a script into the query string that redirects users to a phishing site.
This attack involves injecting malicious scripts into a web application's cache, which are then executed by unsuspecting users who visit the site. The scripts can be used to steal sensitive information or to redirect users to a malicious site. For example, an attacker could inject a script that steals user login credentials and sends them to the attacker.
This attack involves replacing legitimate content in the cache with malicious content. For example, an attacker could replace a legitimate image in the cache with an image that contains malware.
This attack involves fixing the session ID of a user to a value chosen by the attacker. This allows the attacker to hijack the user's session and access sensitive information. For example, an attacker could fix a user's session ID to a value that the attacker knows, allowing them to access the user's account.
Web cache poisoning attacks can be prevented by implementing secure coding practices, such as input validation, output encoding, and secure session management. Additionally, web application firewalls (WAFs) and content delivery networks (CDNs) can help protect against these attacks by filtering malicious traffic and caching only trusted content.
Attack Type: HTTP Header Injection
Description: Injecting a specially crafted HTTP header into a request to the web application, which is then stored in the cache. The attacker can then use this header to redirect users to a malicious site or to inject malicious content into the page.
Example:
GET / HTTP/1.1 Host: example.com X-Forwarded-Host: attacker.com
Attack Type: Path Traversal
Description: Using directory traversal techniques to access files outside of the web application's root directory. By accessing files that are not intended to be public, the attacker can inject malicious code into the cache.
Example:
GET /../../../../etc/passwd HTTP/1.1 Host: example.com
Attack Type: Query String Manipulation
Description: Manipulating the query string of a URL to inject malicious code into the cache. The attacker can then use this code to redirect users to a malicious site or to inject malicious content into the page.
Example:
GET /index.html?redirect=http://attacker.com HTTP/1.1 Host: example.com
Attack Type: Cross-Site Scripting (XSS)
Description: Injecting malicious scripts into a web application's cache, which are then executed by unsuspecting users who visit the site. The scripts can be used to steal sensitive information or to redirect users to a malicious site.
Example:
<script>alert('XSS')</script>Attack Type: Content Spoofing
Description: Replacing legitimate content in the cache with malicious content.
Example:
GET /logo.png HTTP/1.1 Host: example.com If-None-Match: "malicious_etag"
Attack Type: Session Fixation
Description: Fixing the session ID of a user to a value chosen by the attacker. This allows the attacker to hijack the user's session and access sensitive information.
Example:
GET /login.php HTTP/1.1 Host: example.com Set-Cookie: sessionid=attacker_sessionid; path=/
Use proper caching mechanisms that restrict the content that can be cached to prevent cache poisoning attacks
These are just a few examples of web cache poisoning attacks, and there are many more variations that attackers can use. It's important to implement secure coding practices and use security tools to protect against these types of attacks.