Web Cache Poisoning

Web Cache Poisoning

๐Ÿ” Introduction

Web Cache Poisoning์€ ์บ์‹œ ์„œ๋ฒ„๋“ค์˜ ์บ์‹œ ์ •์ฑ…์„ ์ด์šฉํ•œ ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์œผ๋กœ ํŠน์ •ํ•œ HTTP Request๋ฅผ ํ†ตํ•ด ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž์˜ ์„œ๋น„์Šค ๋™์ž‘์— ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ๋Š” ๋ถ€๋ถ„๋“ค์„ Cache ์‹œ์ผœ ์„œ๋น„์Šค๋ฅผ ์ •์ƒ์ ์„ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•˜๊ฒŒ ํ•˜๊ฑฐ๋‚˜(DOS), ๋‹ค๋ฅธ ์ทจ์•ฝ์ ๊ณผ์˜ ์—ฐ๊ณ„๋ฅผ ์œ„ํ•œ ๋ถ€๋ถ„์œผ๋กœ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

HTTP Header, Query ๋“ฑ์— ์ž„์˜์˜ ํ—ค๋”, ๊ฐ’ ๋“ฑ์„ ์š”์ฒญํ•˜์—ฌ ์„œ๋ฒ„์—์„œ ์บ์‹œ๋˜๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. ๋งŒ์•ฝ ์บ์‹œ๊ฐ€ ๋˜๋Š” ๊ฒฝ์šฐ ๋‹ค๋ฅธ ์‚ฌ์šฉ์ž๋„ ํ•ด๋‹น ๊ฒฝ๋กœ๋กœ ์ง„์ž… ์‹œ ์บ์‹œ๋œ ๊ฒฐ๊ณผ๋ฅผ ๋ฐ›๊ธฐ ๋•Œ๋ฌธ์— ์˜ํ–ฅ์„ ์ค„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Attack Request / Response

๋งŒ์•ฝ X-Location ํ—ค๋”๊ฐ€ Cache ๋Œ€์ƒ์ด๊ณ  Response์— ์˜ํ–ฅ(Location ํ—ค๋”)์„ ๋ผ์นœ๋‹ค๋ฉด..

GET /?cache_busting=1234 HTTP/1.1
Host: example.com
X-Location: https://www.hahwul.com

HTTP/1.1 200 OK
Location: https://www.hahwul.com

Victim Request / Response

์ผ๋ฐ˜ ์‚ฌ์šฉ์ž๊ฐ€ X-Location ํ—ค๋”๊ฐ€ ์—†์–ด๋„, ์บ์‹œ๋œ ๊ฒฐ๊ณผ๋ฅผ ๋ฐ›์•„์™€์„œ ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ์‚ฌ์ดํŠธ๋กœ ์ด๋™ํ•ฉ๋‹ˆ๋‹ค.

GET /?cache_busting=1234 HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Location: https://www.hahwul.com

Cache key

์บ์‹œ๋œ ์ปจํ…์ธ ๊ฐ€ ๋ชจ๋“  ์‚ฌ์šฉ์ž์—๊ฒŒ ๋™์ผํ•˜๊ฒŒ ์ „๋‹ฌ๋˜๋Š” ๊ฒƒ์€ ์•„๋‹™๋‹ˆ๋‹ค. ๋ฌผ๋ก  ๋ฌด์กฐ๊ฑด ์บ์‹œํ•˜์—ฌ ๋ชจ๋“  ์‚ฌ์šฉ์ž์—๊ฒŒ ์ „๋‹ฌํ•˜๋Š” ๊ฒฝ์šฐ๋„ ์žˆ์ง€๋งŒ, ํŠน์ • ์กฐ๊ฑด์— ์˜ํ•ด ๊ฐ™์€ ์‚ฌ์šฉ์ž๋ผ๊ณ  ํŒ๋‹จ๋˜๋ฉด ์ „๋‹ฌํ•˜๋Š” ์„œ๋ฒ„๋„ ์žˆ์Šต๋‹ˆ๋‹ค.

๊ทธ๋Ÿฐ ์„œ๋ฒ„๋“ค์ด ์‚ฌ์šฉํ•˜๋Š” ํŠน์ • ์กฐ๊ฑด์ด ๋ฐ”๋กœ Cache key์ž…๋‹ˆ๋‹ค. Cache key๋Š” ์บ์‹œ ์„œ๋ฒ„๊ฐ€ HTTP ์š”์ฒญ์„ ์ˆ˜์‹ ํ•  ๋•Œ, ์ง์ ‘ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ์บ์‹œ๋œ ์‘๋‹ต์ด ์žˆ๋Š”์ง€ ๋˜๋Š” ๋ฐฑ์—”๋“œ ์„œ๋ฒ„์˜ ์ฒ˜๋ฆฌ ์š”์ฒญ์„ ์ „๋‹ฌํ•ด์•ผ ํ•˜๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ๋จผ์ € ํ™•์ธํ•ด์•ผ ํ•˜๋Š”๋ฐ, ์ด ๋•Œ ์‚ฌ์šฉ๋˜๋ฉฐ ์ด๋ฅผ ํ†ตํ•ด์„œ ๋™๋“ฑํ•œ ์š”์ฒญ์„ ์‹๋ณ„ํ•ฉ๋‹ˆ๋‹ค.

  • HTTP Scheme
  • HTTP Host
  • Path
  • Query string
  • Etcโ€ฆ

๊ธฐ๋ณธ์ ์œผ๋กœ Host ํ—ค๋”์™€ URI Query๋Š” ํฌํ•จ๋˜๋ฉฐ, ์—ฌ๊ธฐ์— ์บ์‹œ ์„œ๋ฒ„์˜ ์„ค์ •์— ๋”ฐ๋ผ์„œ ์ถ”๊ฐ€๋กœ ๊ฐ’์ด ๋” ๋“ค์–ด๊ฐˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Cache Poisoning ์‹œ ์ด ์ ์„ ์•Œ๊ณ  ์žˆ์–ด์•ผ, Self ์บ์‹œ๋˜๋Š” ์ƒํ™ฉ์—์„œ Global ์บ์‹œ๋กœ ๋ฒ”์œ„๋ฅผ ํ™•์žฅํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Unkeyed inputs

Unkeyed inputs์€ Cache Key์™€ ๋‹ค๋ฅด๊ฒŒ Cache์— ์ง์ ‘์ ์ธ ์˜ํ–ฅ์„ ๋ผ์น˜์ง€ ์•Š์œผ๋ฉด์„œ, Response์—๋งŒ ์˜ํ–ฅ์„ ๋ผ์น˜๋Š” ํ•ญ๋ชฉ์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๋งจ ์œ„์— Cache Poisoning ์˜ˆ์‹œ์—์„  X-Location ๊ฐ’์ด Unkeyed inputs์ด ๋ฉ๋‹ˆ๋‹ค.

GET /?cache_busting=1234 HTTP/1.1
Host: example.com
X-Location: https://www.hahwul.com

HTTP/1.1 200 OK
Location: https://www.hahwul.com

Detect flow

๋ณดํ†ต 3๊ฐ€์ง€์˜ ํ”Œ๋กœ์šฐ๋กœ Cache Poisoning์˜ ์—ฌ๋ถ€๋ฅผ ์‹๋ณ„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

  • Identify and evaluate unkeyed inputs (unkeyed inputs๋ฅผ ์ฐพ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ์˜ํ–ฅ๋ ฅ ๊ฒ€์ฆ)
  • Elicit a harmful response from the back-end server (๋ฐฑ์—”๋“œ ์„œ๋ฒ„์—์„œ ์•…์˜์ ์ธ Response๋ฅผ ์œ ๋„ํ•ฉ๋‹ˆ๋‹ค.)
  • Get the response cached (์ดํ›„ ํ•ด๋‹น Response๊ฐ€ ์บ์‹œ๋˜๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค)

Header Mining

Cache poisoning์„ ์‰ฝ๊ฒŒ ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•ด์„  Param mining๊ณผ ๊ฐ™์ด Header mining์„ํ•˜๋Š” ๊ฒƒ์ด ํšจ๊ณผ์ ์ž…๋‹ˆ๋‹ค. HTTP Header wordlist๋ฅผ ๊ธฐ์ค€์œผ๋กœ ํ•ด๋‹น ์„œ๋ฒ„์—์„œ Response์— ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋Š” ํ—ค๋”๋ฅผ ์ฐพ๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

GET /?cache_busting=1234 HTTP/1.1
Host: example.com
X-Location: 1234
X-Forwarded-For: 1234
X-Origin: 1234
X-URL-Rewrite: 1234
....

๋Œ€ํ‘œ์ ์œผ๋กœ BurpSuite์˜ Param Minior, ZAP์˜ Fuzzer๋ฅผ ์‚ฌ์šฉํ•˜๊ณ , ์ผ๋ถ€ Param mining์ด ๊ฐ€๋Šฅํ•œ ๋„๊ตฌ๋กœ๋„ ํ…Œ์ŠคํŠธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. wordlist๋Š” ์œ„ SecLists์˜ http-request-header-s-fields-large.txt๋ฅผ ์‚ฌ์šฉํ•˜์‹œ๋ฉด ๋Œ€๋‹ค์ˆ˜ ํ—ค๋”์— ๋Œ€ํ•ด ํ…Œ์ŠคํŠธํ•˜์‹ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Cache Busting

Cache busting์€ URL Query ๋“ฑ์— ํŠน์ •ํ•œ ๊ฐ’์„ ์ถ”๊ฐ€ํ•˜์—ฌ ํ•ด๋‹น ๊ฒฝ๋กœ๋กœ ์ง์ ‘ ์ ‘๊ทผํ•œ ์‚ฌ์šฉ์ž๋งŒ ์˜ํ–ฅ๋ฐ›๋„๋ก ํ•  ์ˆ˜ ์žˆ๋Š” ๊ธฐ๋ฒ•์ž…๋‹ˆ๋‹ค. ๋ณดํ†ต Cache Poisoning, HTTP Request Smuggling ๋“ฑ ๊ด‘๋ฒ”์œ„ํ•œ ๋Œ€์ƒ์˜ ์‚ฌ์šฉ์ž์—๊ฒŒ ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ๋“ค์„ ํ…Œ์ŠคํŠธํ•  ๋•Œ ์ž์ฃผ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

์ž์„ธํ•œ ๋‚ด์šฉ์€ ์•„๋ž˜ ๊ธ€์„ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

https://www.hahwul.com/2021/08/28/cache-busting/

Exploitation

์บ์‹œ๋ฅผ ํ†ตํ•ด HTTP Response ํ—ค๋”์— ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋‹ค๋ฉด ์ด๋ฅผ ํ†ตํ•ด ๊ฐ€๋Šฅํ•œ ๋ชจ๋“  ๊ณต๊ฒฉ์ด Exploit์˜ ํฌ์ธํŠธ๊ฐ€ ๋ฉ๋‹ˆ๋‹ค. ์ƒํ™ฉ์— ๋”ฐ๋ผ ๋„ˆ๋ฌด ๋งŽ์€ ๊ฒฝ์šฐ์˜ ์ˆ˜๊ฐ€ ์žˆ์ง€๋งŒ ๋Œ€์ฒด์ ์œผ๋กœ Client-Side์—์„œ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ์ด์Šˆ์™€ ์—ฐ๊ด€์ด ์žˆ์Šต๋‹ˆ๋‹ค.

  • XSS
  • DOS
  • CSRF (bypass protection)
  • Open Redirect
  • Smuggling
  • Etcโ€ฆ

More technic

PortSwigger์˜ ๊ธ€์—์„œ ์ž˜ ์ •๋ฆฌ๋˜์–ด ์žˆ์Šต๋‹ˆ๋‹ค. ์•„๋ž˜ ๋ฌธ์„œ๋ฅผ ์ฐธ๊ณ ํ•ด์ฃผ์„ธ์š”.

๐Ÿ›ก Defensive techniques

Disable Cache

์บ์‹œ๊ฐ€ ํ•„์š”ํ•˜์ง€ ์•Š์€ ์„œ๋ฒ„์—์„  ์บ์‹œ๋ฅผ ๊บผ๋‘๋Š” ๊ฒƒ์ด ๊ฐ€์žฅ ์ข‹์Šต๋‹ˆ๋‹ค. (๋ฆฌ์†Œ์Šค ์บ์‹œ ๋“ฑ์€ CDN์—์„œ ์ฒ˜๋ฆฌ)

Protect unkeyed inputs

unkeyed inputs์€ ์ด ๊ณต๊ฒฉ์˜ ํ•ต์‹ฌ์ด ๋˜๋Š” ์˜ค๋ธŒ์ ํŠธ ์ค‘ ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค. Cache๊ฐ€ ๊ฐ€๋Šฅํ•œ ์„œ๋ฒ„์—์„  ์‚ฌ์šฉ์„ฑ์— ์ง์ ‘์ ์ธ ์˜ํ–ฅ์„ ๋ผ์น  ์ˆ˜ ์žˆ๋Š” Header๋“ฑ์˜ unkeyed inputs๋Š” ๊ณต๊ฒฉ์ž๊ฐ€ ์ž„์˜๋กœ ์บ์‹œํ•˜์ง€ ๋ชปํ•˜๋„๋กœ๊ณ  ์ œํ•œํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

Using Vary Header

Vary ํ—ค๋”๋Š” PC์›น ํ™˜๊ฒฝ๊ณผ ๋ชจ๋ฐ”์ผ ์›น ํ™˜๊ฒฝ ๊ตฌ๋ณ„์„ ์œ„ํ•ด ๋งŽ์ด ์‚ฌ์šฉํ•˜๋Š” ํ—ค๋”์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด Cache Poisoning์ด ๋ฐœ์ƒํ•˜๋”๋ผ๋„, ์—ฌ๋Ÿฌ ์‚ฌ์šฉ์ž๊ฐ€ ์˜ํ–ฅ๋ฐ›์ง€ ์•Š๋„๋ก ์™„ํ™”ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Vary: User-Agent

์œ„ ์ผ€์ด์Šค์—์„  ๋™์ผ UA๊ฐ€ ์•„๋‹ˆ๋ฉด ์˜ํ–ฅ๋ฐ›์ง€ ์•Š๊ฒŒ ๋˜๊ฒ ๋„ค์š”.

๐Ÿ•น Tools

๐Ÿ“š Articles

๐Ÿ“Œ References