Practical Web Cache Poisoning - Redefining 'Unexploitable'

Explore advanced web security techniques in this 44-minute Black Hat conference talk on practical web cache poisoning. Delve into the vulnerabilities of modern web applications, learning how to exploit caches and content delivery networks. Discover methods for compromising websites by transforming their caches into exploit delivery systems. Follow along as James Kettle demonstrates techniques like unkeyed input detection, DOM poisoning, and cross-cloud poisoning. Gain insights into the caching threat landscape, cache key collisions, and selective poisoning strategies. Understand the implications of trusting headers and chaining unkeyed inputs. Learn about resource hijacking, open graph hijacking, and the potential for external and internal cache poisoning. Examine real-world examples, including a Drupal open redirect vulnerability. Conclude with essential takeaways and defensive strategies to protect against these sophisticated attacks.

Intro
Param Miner
Outline
Caching Threat Landscape
Cache poisoning objective
Cache keys
Cache key collisions
Cache Poisoning Methodology
Trusting headers
Unkeyed input detection
Explore and Inject
Seizing the Cache
Selective poisoning
DOM Poisoning
Mystery Interaction
Mozilla SHIELD
Chaining Unkeyed Inputs
Hidden Route Poisoning
Resource Hijacking
hackxor
Open Graph hijacking
Cross-Cloud Poisoning: Cloudflare
Beyond fake hosts
External cache poison (1/3)
Internal cache poison (2/3)
Drupal Open redirect (3/3)
Combining ingredients
Defense
Takeaways