Cached and Confused

Web Cache Deception in the Wild

About the Speaker

Seyed Ali Mirheidari has over a decade experience of leading penetration tests, vulnerability management and vulnerability assessments of broad technologies including web, network, mobile, and IoT. He is currently a Lead Information Security Consultant at Denim Group conducting network and application penetration testing engagements for Fortune 100 and other enterprise clients. He has a broad experience in building custom exploits for penetration tests and hands-on experience in intrusion detection in large enterprise environments. Ali invests extensive research time gaining an in-depth understanding of complex security implications in underlying protocols. His research leads to implementing new techniques to discover and exploit well-hidden web application flaws.

Sajjad is a security software engineer, focused on fighting Android Malware with focus on detecting JavaScript abuse in hybrid Android apps. His research is concerned with improving the security of computer systems through application of secure design principles and integration of defensive techniques such as attack detection, prevention, and recovery. Some domains he is active in are large-scale web security/privacy measurement, program analysis, and Malware detection. In his spare time, he is a CTF player and has authored several technical CTF writeups.

Abstract

Web Cache Deception (WCD) has been introduced in 2017 by Omer Gil, where an intruder lures a caching server to mistakenly store private information publicly and as a result obtains unauthorized access to cached data. In this talk, we will introduce new exploitation techniques based on the semantic disconnect among different framework-independent web technologies (e.g., browsers, CDNs, web servers) which results in different URL path interpretations. We coined the term “Path Confusion” to represent this disagreement and we will present the effectiveness of this technique on WCD attack. In February 2020, our related research was voted and led to an award as the top web hacking technique of 2019 by PortSwigger.

We explore WCD as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable three years after the public disclosure of WCD. To further elucidate the seriousness of path confusion, we will also present the large scale analysis results of WCD attack on high profile sites. We present a semi-automated path confusion crawler which detects hundreds of sites that are still vulnerable to WCD only with specific types of path confusion techniques.

We conclude the talk with explaining why path confusion is so complicated to remediate while shedding light on potential areas that researchers and bughunters can apply new attack vectors through different path confusion techniques.

Video