Web Cache Entanglement - Novel Pathways to Poisoning

Explore the intricacies of web cache vulnerabilities and exploitation techniques in this Black Hat conference talk. Delve into the often-overlooked world of caches and their critical role in web infrastructure. Learn how to remotely probe cache systems, identify subtle inconsistencies, and leverage these findings to construct sophisticated exploit chains. Gain insights into novel pathways for cache poisoning, including techniques like cache parameter cloaking, dynamic resource gadgets, and cache key injection. Discover methodologies for detecting unkeyed queries and their potential effects on security. Examine real-world examples involving major platforms like Akamai, Cloudflare, and Ruby on Rails. Understand the concepts of application cache poisoning and blind internal cache poisoning, with case studies from Adobe and the Department of Defense. Acquire practical knowledge on recognizing internal cache poisoning and using tools like Param Miner for further exploration.

Intro
Unanswered questions in cache poisoning
Outline
Recap: cache poisoning concept
Recap: Practical Web Cache Poisoning (2018) Keyed GET /research?x=1 HTTP/1.1
Methodology
Unkeyed port
Unkeyed query detection
Unkeyed query effect Hides obvious XSS from pentesters & bug bounty hunters
Redirect Dos gadget
Cache parameter cloaking: Akamai?
Parameter cloaking: Rack::Cache?
Parameter cloaking: Ruby on Rails
Dynamic resource gadget
Unkeyed method
Local redirect gadget
Cache key normalisation
Normalisation gadgets - XSS
Cache key injection - Akamai
Cache key injection - Cloudflare? Select Prote Cloudflare documentation
Application Cache Poisoning - Adobe
Blind Internal Cache Poisoning - DoD
Recognising internal cache poisoning
Param Miner
Further Reading