Gil, an information security team leader at EY Advanced Security Center, will present research tomorrow at Black Hat, that shows how adversaries can abuse these services and expose sensitive information of authenticated users and even take control of their accounts.
Gil said many of the companies that use web caching services are vulnerable to these types of attacks. In February, he notified PayPal it was vulnerable to such an attack that allowed him to access a PayPal account holder’s first and last name, last four digits of their credit card, email address, phone number and even their passport number.
For his work with PayPal, Gil earned a $3,000 bug bounty. A more in-depth and up-to-date explanation of his research will be presented Wednesday, but his is initial research is posted online.
The attack is carried out with a malformed URL, through which the attacker attempts to trigger the caching of content that the CDN would typically not allow to be cached.
Akamai explains the attack in a blog post response to EY Advanced Security Center’s research:
“For example, assume that URL www.example.com/personal.php refers to content containing sensitive data that should not be cached. The attacker tricks the target user into making a request to www.example.com/personal.php/bar.css causing the server to respond with www.example.com/personal.php containing sensitive information specific to the victim due to the victim’s cookies being present in the request. However, the proxy interprets the request to www.example.com/personal.php/bar.css as being a request for a non-existent, cacheable ‘bar.css’ file, which in turn causes the content of ‘/personal.php’ to be stored in the cache and accessible by others.”
Gil said the attack is not limited extensions JS and CSS files. In all, more that 40 various static file extensions can be used in a web caching attack such as: aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd and zip.
Now data input on that specific URL would be cached. Then all the attacker needs to do is revisit the URL and potentially access the victim’s personal and financial information.
“I’ve measured the time taken for the cached files to expire,” Gil wrote. “It seems that after being accessed once (for the first time), a file is cached for 5 hours. If it’s accessed again during that time, the expiration time is extended. It’s clear that this time period is more than enough for an attacker to ‘catch’ the cached file on time before it expires, and by constantly monitoring this URL he can expose it as it’s created.”
Making matters worse, if the cached response contains CSRF tokens, session IDs, or security answers an attacker could gain complete control of the targeted account, he said.
Both Akamai and Cloudflare have responded to Gil’s research. Both acknowledge there is no silver bullet to prevent this type of attack, except for websites that use a CDN to anticipate this type of attack and mitigate against it.
“The best way to defend against this attack is to ensure that your website isn’t so permissive, and never treats requests to nonexistent paths (say, /x/y/z) as equivalent to requests to valid parent paths (say, /x),” wrote Cloudflare in a blog post responding to Gil’s initial research.
Gil’s also suggested mitigation efforts such as configuring a web server to so that URLs such as http://www.example.com/home.php/non-existent.css don’t return the content of “home.php” with this URL. Instead, for example, the server should respond with a 404 or 302 response.
At Black Hat, EY Advanced Security Center will describe technologies that can meet the attack conditions to show how common this type of vulnerability can be. He said CDNs such as Akamai and Cloudflare are only some of the examples and that load balancers and reverse proxies such as IIS ARR and NGINX are equally as vulnerable in addition to web frameworks PHP, Django and http://ASP.NET .