AppSecCali 2019 - Cache Me If You Can: Messing with Web Caching

oBKoocE5id4/default.jpg

As application security gained in popularity and maturity, attackers and researchers have turned to more creative methods for exploiting web applications. In 2017, security researcher Omer Gil introduced the Web Cache Deception attack. This attack, while trivial to understand and leverage, showed the potential of attacking caching mechanisms instead of targeting the application itself in order to extract sensitive information. In 2018, GoSecure introduced a new class of attack known as Edge Side Include Injections, exploiting a design flaw introduced nearly two decades ago in popular caching servers and cache providing solutions. Again in 2018, James Kettle released his research on Web Cache Poisoning, which leverages unkeyed input to reflect arbitrary data in an HTTP response in order to get a cross-site-scripting payload cached across users.

The findings from this research show the obvious flaws we failed to identify in caching specifications for so long. This talk aims to be a precautionary tale for the next time you need to implement a web caching solution by providing a practical overview of caching attacks in web applications. We'll look at attacks targeting both modern and legacy web applications, how to detect these design oversights and leverage them, and more importantly how to mitigate them.

Louis Dion-Marcil
Information Security Analyst
Louis Dion-Marcil is a consultant working for Mandiant. He specializes in offensive appsec and pentesting medium to large scale organizations. A seasoned CTF participant and sometimes finalist with the DCIETS team, he has also written challenges for various competitions.

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...

oBKoocE5id4/default.jpg
AppSecCali 2019 - Cache Me If You Can: Messing with Web Caching AppSecCali 2019 - Cache Me If You Can: Messing with Web Caching Reviewed by Anonymous on March 12, 2019 Rating: 5