马丁·多伊纳德_全部缓存弯曲Web缓存利用规则.pdf

1、Gotta Cache em allBending the rules of web cache exploitationMartin DoyhenardPortSwigger Research1.Web Caches2.Cache Rule Exploitation3.Cache Key Exploitation4.Cache-What-Where(DEMO)5.Defences6.TakeawaysAgendaWeb CachesKeyResponseOrigin ServerCache ProxyWeb CachesKeyResponseGET/styles.cssOrigin Serv

2、erCache ProxyWeb CachesKeyResponseOrigin ServerCache ProxyGET/styles.cssWeb CachesKeyResponseKey()Cache ProxyOrigin ServerGET/styles.cssWeb CachesIdentify Requests elements used for comparisonGET/styles.css Host:Cookie:sid=a123User-Agent:Chrome=GET/styles.css Host:Cookie:sid=b456User-Agent:Safari/st

3、yles.css|Web Cache KeysKeyResponseKey()Cache ProxyOrigin ServerGET/styles.cssWeb CachesKeyResponseCache ProxyOrigin ServerGET/styles.cssWeb CachesKeyResponse1)Map endpoint with path patternCache ProxyOrigin ServerGET/styles.cssWeb CachesKeyResponse1)Map endpoint with path patternCache ProxyOrigin Se

4、rverGET/styles.cssStyles RespWeb CachesRules()KeyResponse1)Map endpoint with path pattern2)Cache rules are evaluatedCache ProxyOrigin ServerGET/styles.cssStyles RespWeb CachesEvaluate if a response should be cachedResponse BasedCache-Control(public/private,max-age,no-cache)Request BasedStatic extens

5、ion(Path ending with static ext:.css)Static directories(Path starting with static dir:/static/)Static file names(Path with a specific file name:/robots.txt)Web Cache RulesCloudFlare Static ExtensionsKeyResponse1)Map endpoint with path pattern2)Cache rules are evaluatedCache ProxyOrigin ServerWeb Cac

6、hesRules()GET/styles.cssStyles RespKeyResponseStyles RespStyles Resp1)Map endpoint with path pattern2)Cache rules are evaluatedCache ProxyOrigin ServerWeb CachesRules()GET/styles.cssStatic Extension KeyResponse/styles.cssStyles RespKey()1)Map endpoint with path pattern2)Cache rules are evaluated3)Ca