Practical Web Cache Poisoning: Redefining "Unexploitable" presented at ekopartySecurityConference 2018

by James Kettle,

Summary : Modern web applications are composed from a crude patchwork of caches and content delivery networks. In this session I’ll show you how to compromise websites by using esoteric web features to turn their caches into exploit delivery systems, targeting everyone that makes the mistake of visiting their homepage.I’ll illustrate and develop this technique with vulnerabilities that handed me control over numerous well known websites and frameworks, progressing from simple single-request attacks to intricate exploit chains that hijack JavaScript, pivot across cache layers, subvert social media and misdirect cloud services in pursuit of the perfect exploit. Unlike previous cache poisoning techniques, this approach doesn’t rely on other vulnerabilities like response splitting, or cache-server quirks that are easily patched away. Instead, it exploits core principles of caching, and as such affects caching solutions indiscriminately. The repercussions also extend beyond websites - I’ll show how using this approach, I was able to compromise Mozilla infrastructure and partially hijack a notorious Firefox feature, letting me conduct tens of millions of Firefox browsers as my personal low-fat botnet. In addition to sharing a thorough detection methodology, I’ll also release and open source the Burp Suite Community extension that fueled this research. You’ll leave with an altered perspective on web exploitation, and an appreciation that the simple act of placing a cache in front of a website can take it from completely secure to critically vulnerable.