Web Cache Deception leads to Cache Poisoning

Web cache poisoning is an attack that allows an attacker to trick a web cache into storing malicious content (such as malicious JavaScript). This content is then served to all the unsuspecting users that request the poisoned URL ¹.

Web Cache Deception (WCD), on the other hand, is a vulnerability that allows an attacker to steal sensitive information of a targeted victim by tricking the web cache into storing it, rendering it publicly available. To do this, an attacker crafts a URL that ends with a static file extension (e.g., .css) and induces a victim into visiting it using social engineering. When the victim follows the URL, the web cache that handles the request will store the response thinking that it is a static file. The attacker can then access the cached response and steal the sensitive information that the victim provided (more details can be found in ²).

Reflected vulnerabilities and self attacks are usually considered less severe than stored ones, especially the latter. However, as we will see in this post, Web Cache Deception can be used to turn reflected vulnerabilities and self attacks into stored ones, thus increasing their severity.

While investigating the findings of our large-scale analysis for ³, I discovered that an extremely popular American payment processor vulnerable to Web Cache Deception was also vulnerable to an otherwise harmless self-XSS through the X-Forwarded-Host request header. The value of this header was included in the response body without proper sanitisation as follows: <link rel="canonical" href="https://<HEADER'S VALUE HERE>">.

A payload that could be used to exploit this vulnerability is the following:

website.com/it/en/home.html" /><img src="" onerror="alert(document.body.baseURI)"><link href="

This vulnerability would not have been considered severe if it was not for the fact that the website was also vulnerable to Web Cache Deception. Indeed, by poisoning a URL which included a WCD payload with the aforementioned self-XSS payload, an attacker could achieve a stored XSS attack. Every page of the website was vulnerable to this attack. On some pages, this attack worked even without the WCD payload, as the pages were already cached by default, making this attack even more severe.

I reported this vulnerability to the website operators through their Bugcrowd bug-bounty program and received a duplicate for the self-XSS vulnerability that had been already reported by another researcher (🫥). However, even more disappointingly, they downgraded the severity of my report to P4, and Bugcrowd only awards points for duplicates for P1 and P2 vulnerabilities, and stopped answering when I challenged their statement that this is a low-severity vulnerability.

Anyway, this is just one example of how Web Cache Deception can be used to increase the severity of reflected vulnerabilities and self attacks turning them into stored attacks, and I am sure that there are many more examples in the wild.

References