Overview
Explore practical web cache poisoning techniques in this 44-minute Black Hat conference talk by James Kettle. Delve into the vulnerabilities of modern web applications' caching systems and content delivery networks. Learn how to exploit esoteric web features to transform caches into exploit delivery systems, potentially affecting all visitors to a website's homepage. Discover the caching threat landscape, cache poisoning objectives, and methodologies. Examine topics such as cache keys, unkeyed input detection, DOM poisoning, and cross-cloud poisoning. Gain insights into defensive strategies and key takeaways for securing web applications against these sophisticated attacks.
Syllabus
Intro
Param Miner
Outline
Caching Threat Landscape
Cache poisoning objective
Cache keys
Cache key collisions
Cache Poisoning Methodology
Trusting headers
Unkeyed input detection
Explore and Inject
Seizing the Cache
Selective poisoning
DOM Poisoning
Mystery Interaction
Mozilla SHIELD
Chaining Unkeyed Inputs
Hidden Route Poisoning
Resource Hijacking
Open Graph hijacking
Cross-Cloud Poisoning: Cloudflare
Beyond fake hosts
External cache poison (1/3)
Internal cache poison (2/3)
Drupal Open redirect (3/3)
Combining ingredients
Defense
Takeaways
Taught by
Black Hat