Researcher Omer Gil has devised a way to trick a web server into caching pages and exposing personal data.
The so-called web caching attack targets sites that use content delivery network (CDN) services such as Akamai and Cloudflare. These services act as traffic load balancers and reverse proxies, and store files that are frequently retrieved in order to reduce latency from a web server.
Gil, an information security team leader at EY Advanced Security Center, will present research tomorrow at Black Hat, that shows how adversaries can abuse these services and expose sensitive information of authenticated users and even take control of their accounts.
Gil said many of the companies that use web caching services are vulnerable to these types of attacks. In February, he notified PayPal it was vulnerable to such an attack that allowed him to access a PayPal account holder’s first and last name, last four digits of their credit card, email address, phone number and even their passport number.
For his work with PayPal, Gil earned a $3,000 bug bounty. A more in-depth and up-to-date explanation of his research will be presented Wednesday, but his is initial research is posted online.
The attack is carried out with a malformed URL, through which the attacker attempts to trigger the caching of content that the CDN would typically not allow to be cached.
Akamai explains the attack in a blog post response to EY Advanced Security Center’s research:
“For example, assume that URL www.example.com/personal.php refers to content containing sensitive data that should not be cached. The attacker tricks the target user into making a request to www.example.com/personal.php/bar.css causing the server to respond with www.example.com/personal.php containing sensitive information specific to the victim due to the victim’s cookies being present in the request. However, the proxy interprets the request to www.example.com/personal.php/bar.css as being a request for a non-existent, cacheable ‘bar.css’ file, which in turn causes the content of ‘/personal.php’ to be stored in the cache and accessible by others.”
Gil said the attack is not limited extensions JS and CSS files. In all, more that 40 various static file extensions can be used in a web caching attack such as: aif, aiff, au, avi, bin, bmp, cab, carb, cct, cdf, class, css, doc, dcr, dtd, gcf, gff, gif, grv, hdml, hqx, ico, ini, jpeg, jpg, js, mov, mp3, nc, pct, ppc, pws, swa, swf, txt, vbs, w32, wav, wbmp, wml, wmlc, wmls, wmlsc, xsd and zip.
Now data input on that specific URL would be cached. Then all the attacker needs to do is revisit the URL and potentially access the victim’s personal and financial information