Web缓存欺骗
class, css, jar, js, jpg, jpeg, gif, ico, png, bmp, pict, csv, doc, docx, xls, xlsx, ps, pdf,
pls, ppt, pptx, tif, tiff, ttf, otf, webp, woff, woff2, svg, svgz, eot, eps, ejs, swf, torrent,
midi, mid
存在漏洞的地址:http://www.xx.com/cc.css位于cdn缓存上,但是访问该css同http://www.xx.com/home.php一样,所以造成了该漏洞
漏洞利用:将http://www.xx.com/cc.css地址发给笑脸用户,用户在上面的操作会留在cdn缓存上,造成了泄漏,这个时候,恶意攻击者访问该用户就造成了,缓存欺骗。
以下为hackone案例,仅供参考,顺便提下,案例二的poc可以进行证明漏洞
Jun 2nd (8 months ago)
I have found a Vulnerability in vanilla forums which called Web cache deception attack.
Web Cache Deception Attack
Websites often tend to use web cache functionality to store files that are often retrieved, to reduce latency from the web server.
Websites often tend to use web cache functionality (for example over a CDN, a load balancer, or simply a reverse proxy). The purpose is simple: store files that are often retrieved, to reduce latency from the web server.
When accessing a URL like http://www.example.com/home.php/non-existent.css
A GET request to that URL will be produced by the browser. The server returns the content of http://www.example.com/home.php. And yes, the URL remains http://www.example.com/home.php/non-existent.css. The HTTP headers will be the same as for accessing http://www.example.com/home.php directly: same caching headers and same content type (text/html, in this case).
The web cache servre saves the returned page in the server's cache. Then the attacker can go to the url: http://www.example.com/home.php/non-existent.css and the page of the victim will be presented with the victim's sensitive information (The page content).
The dangerous part in this attack, unlike phishing attacks, is that the url isn't looks suspicious at all. It looks like a normal url from the original website, so the victim thinks that it is ok to click on the link.
Steps:
- The attacker sends the following link to the victim: https://open.vanillaforums.com/messages/all/non-existent.css
- The victim opens the link and the inbox page will be loaded normally. (The web cache server then saves this page)
- The attacker open the same link (https://open.vanillaforums.com/messages/all/non-existent.css), and the inbox page of the victim with all his private contant is loaded.
If you need a video to understand it better, ask me and I will send you one.
Impact
The attacker can achieve all the private content of a specific victim, without the victim knowing about it.
二:
Hello,
Your Web-Server is vulnerable to web cache poisoning attacks.
This means, that the attacker are able to get another user informations.
If you are logged in and visit this website (For example):
https://postmates.com/SomeRandomText.css
Then the server will store the information in the cache, BUT with the logged in user information :)
A non-logged-in user can then visit this website and see the information contained therein.
In that case, this url: https://postmates.com/SomeRandomText.css
I have written a small javascript / html code, which executes this attack fully automated, you just need to visit the website and wait like 3 seconds.
Here is the small PoC code
<html>
<head>
</head>
<body>
<script>
var cachedUrl = 'https://postmates.com/' + generateId() + '.css';
const popup = window.open(cachedUrl);
function generateId() {
var content = '';
const alphaWithNumber = 'QWERTZUIOPASDFGHJUKLYXCVBNM1234567890';
for (var i = 0; i < 10; i++) {
content += alphaWithNumber.charAt(Math.floor(Math.random() * alphaWithNumber.length))
}
return content;
}
var checker = setInterval(function() {
if (popup.closed) {
clearInterval(checker);
}
}, 200);
var closer = setInterval(function() {
popup.close();
document.body.innerHTML = 'Victims content is now cached <a href="' + cachedUrl + '">here and the url can be saved on the hackers server</a><br><b>Full Url: ' + cachedUrl + '</b>';
clearInterval(closer);
}, 3000);
</script>
</body>
</html>
Theoretically, the attacker could then store this information on his server, but in this example, the URL is simply shown.
I would suggest keeping an eye on caching for more security and hope you enjoyed my report.
Some informations about the attack:
https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf
The screenshots with the steps are in the attachments
Not important for this report, but i want to look deeper in your website: Can you create an account for me? Im from Germany and dont have american phone number :)
Impact
Web cache poisoning attack can be used to steal user informations like lastname and member id which is important for the login security feature. (For example)
Web缓存欺骗的更多相关文章
- 【转】一种新型的Web缓存欺骗攻击技术
为了减少WEB响应时延并减小WEB服务器负担,现在WEB缓存技术已经用的非常普遍了,除了专门的CDN,负载均衡以及反向代理现在也会缓存一部分的网页内容.这里我要介绍一种WEB缓存欺骗攻击技术,这种攻击 ...
- 作为前端应当了解的Web缓存知识
缓存优点 通常所说的Web缓存指的是可以自动保存常见http请求副本的http设备.对于前端开发者来说,浏览器充当了重要角色.除此外常见的还有各种各样的代理服务器也可以做缓存.当Web请求到达缓存时, ...
- Web缓存杂谈
一.概述 缓存通俗点,就是将已经得到的‘东东’存放在一个相对于自己而言,尽可能近的地方,以便下次需要时,不会再二笔地跑到起始点(很远的地方)去获取,而是就近解决,从而缩短时间和节约金钱(坐车要钱嘛). ...
- 前端应当了解的Web缓存知识
缓存优点 通常所说的Web缓存指的是可以自动保存常见http请求副本的http设备.对于前端开发者来说,浏览器充当了重要角色.除此外常见的还有各种各样的代理服务器也可以做缓存.当Web请求到达缓存时, ...
- 浅谈Web缓存
在前端开发中性能一直都是被大家所重视的一点,然后判断一个网站的性能最直观的就是看网页打开的速度. 其中提高网页反应的速度的一个方式就是使用缓存.一个优秀的缓存策略可以缩短网页请求资源的距离,减少延迟, ...
- web缓存
web缓存HTTP协议的一个核心特性,它能最小化网络流量,并且提升用户所感知的整个系统响应速度. 什么能被缓存? *Logo和商标图像 *普通的不变化的图像(例如,导航图标) *CSS样式表 *普通的 ...
- Web 技术人员需知的 Web 缓存知识(转)
最近的译文距今已有4年之久,原文有一定的更新.今天踩着前辈们的肩膀,再次把这篇文章翻译整理下.一来让自己对web缓存的理解更深刻些,二来让大家注意力稍稍转移下,不要整天HTML5, 面试题啊叨啊叨的~ ...
- c# web 缓存管理
using System; using System.Collections; using System.Text.RegularExpressions; using System.Web; usin ...
- HTML5时代的Web缓存机制
HTML5 之离线应用Manifest 我们知道,使用传统的技术,就算是对站点的资源都实施了比较好的缓存策略,但是在断网的情况下,是无法访问的,因为入口的HTML页面我们一般运维的考虑,不会对其进行缓 ...
随机推荐
- 软件——Jira是什么
JIRA这个工具接触有好几年了,在多个海外项目上都用过这个工具.去年又在项目上深度使用后就有点爱不释手了,回国后也在找机会推荐给其它项目上用.最近正好有新项目需要用,借这个机会把JIRA的配置学习的过 ...
- 从零开始学习docker之在docker中搭建redis(集群)
docker搭建redis集群 docker-compose是以多容器的方式启动,非常适合用来启动集群 一.环境准备 云环境:CentOS 7.6 64位 二.安装docker-compose #需要 ...
- 【Hadoop离线基础总结】CDH版本的zookeeper环境搭建
CDH版本的zookeeper环境搭建 下载 下载地址 http://archive.cloudera.com/cdh5/cdh/5/ 修改配置文件 创建ZooKeeper数据存放目录 mkdir - ...
- u-boot: Not enough room for program headers, try linking with -N
在编译u-boot的时候出现了以下错误: arm-linux-gnueabi-ld.bfd: u-boot: Not enough room for program headers, try link ...
- 房价预测Task1
pandas:简单的房价预测实例 我们使用pandas等工具,对于给出的.csv文件进行处理,完成要求的几个Task. 利用sklearn的线性回归,对于房价进行简单的预测. 所有的要求,数据集等文件 ...
- 为什么PUSH推送要经常背锅?
前言 只有光头才能变强. 文本已收录至我的GitHub精选文章,欢迎Star:https://github.com/ZhongFuCheng3y/3y 自从做了推送以后,每隔一段时间就发现有各大的公司 ...
- asp.net core计划任务探索之hangfire+redis+cluster
研究了一整天的quartz.net,发现一直无法解决cluster模式下多个node独立运行的问题,改了很多配置项,仍然是每个node各自为战.本来cluster模式下的各个node应该是负载均衡的, ...
- [hdu5348]图上找环,删环
http://acm.hdu.edu.cn/showproblem.php?pid=5348 题意:给一个无向图,现在要将其变成有向图,使得每一个顶点的|出度-入度|<=1 思路:分为两步,(1 ...
- Linux常用命令详解—基于CentOS7
## Linux 目录- /:根目录,一般只存放目录,不存放文件- /bin -> /usr/bin:可执行二进制文件的目录,也是常用命令目录,如常用的命令 ls.cat.mv 等- /boot ...
- 初识spring boot maven管理--HelloWorld
配置文件配置好 了之后可以进行第一个例子的编写了! @Controller @EnableAutoConfiguration() public class SampleController { pri ...