Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Reward. Show all posts

Researcher Detects 70 Web Cache Poisoning Vulnerabilities, Gets $40k in bug bounty rewards

 

Despite the fact that it is a well-known and well-documented vulnerability, 'web cache poisoning' continues to be a concern on the internet. 

Security researcher Iustin Ladunca (Youstin) recently uncovered 70 cache poisoning vulnerabilities with varying implications after conducting a thorough investigation on different websites, including some high-traffic online services. 

The intermediate storage points between web servers and client devices, such as point-of-presence servers, proxies, and load balancers, are the targets of web cache poisoning attacks. These intermediates aid website speed by keeping local versions of online content and delivering them to web clients faster. Cache poisoning attacks change the way cache servers behave and respond to certain URL requests from clients. 

Ladunca told The Daily Swigg, “I started researching web cache poisoning back in November 2020, shortly after reading James Kettle’s extensive research on the topic. Only a few weeks in, I discovered two novel cache poisoning vulnerabilities, which made me realize just how wide the attack surface for cache poisoning is.” 

Ladunca outlined how he identified and disclosed the web cache vulnerabilities, which included severs such as Apache Traffic Server, GitHub, GitLab, HackerOne, and Cloudflare, among others, in a blog post. 

“A common pattern was caching servers configured to only cache static files, meaning attacks were limited to static files only,” Ladunca stated.

“Even so, there still was a significant impact, since modern websites rely heavily on JS [JavaScript] and CSS {cascading style sheets] and taking those files down would really affect application availability.” 

Denial of service (DoS) attacks were launched as a result of several web cache vulnerabilities. Some headers are used as keys by cache servers to store and retrieve URL requests. Ladunca was able to compel servers to cache error responses and deliver them instead of the original content by utilising faulty values in unkeyed headers, making the target URLs unreachable to clients. 

“In terms of techniques used, by far the most common one was CP-DoS through unkeyed headers, which probably accounted for 80% of [the] total findings,” Ladunca said. 

Cross-site scripting (XSS) attacks could be exploited by other web cache poisoning flaws. One vulnerability, for example, may cause the cache server to forward JavaScript file requests to an attacker-controlled IP. Ladunca was also able to reroute a cache request from one host to another that was vulnerable to DOM-based XSS attacks in another case. 

For the 70 web cache vulnerabilities he uncovered, Ladunca received a bug bounty of roughly $40,000. He did, however, learn some valuable lessons about safeguarding web cache servers. 

“I would say a good way to secure CDNs from cache poisoning attacks would be disabling caching for error status codes, a mitigation which should stop a large part of CP-DoS attacks,” he said. 

The researcher also suggested utilizing PortSwigger's Param Miner, an open-source tool for locating hidden, unrelated parameters. Param Miner can help detect unkeyed headers that can be used for web cache poisoning by running it against web apps.

Security Researcher Discovers Serious Flaw in Chromium, Bags $15,000 Reward

 

A recently patched vulnerability in the Chromium project enabled malicious parties to inject code in embedded site pages, despite the fact that these resources were separated from the parent website. 

Chromium is an open-source browser project that intends to make the web a safer, faster, and more stable experience for everyone. The site provides design documents, architecture overviews, testing information to assists users in learning to build and work with the Chromium source code.

The security researcher who initially discovered the vulnerability presented a proof of concept that illustrates an attacker-controlled website abusing the vulnerability to manipulate the information of an embedded website, despite the fact that the target and destinations are on different servers. 

As illustrated in a recent post on the Chromium website, the vulnerability may be leveraged even if the web browser "site isolation" feature is turned on. Site isolation is a security feature that divides each website into its own process to increase security. 

According to the expert, inter-process communication of isolated processes featured a race condition, which is an attack that targets systems that must execute the task in several phases. If the system is susceptible for a brief period of time between execution steps, the attacker can take advantage of the security vulnerability to make destructive changes. Among other exploits, this flaw may allow intruders to insert malicious code into embedded sites or steal personal information from users. 

The vulnerability was discovered in late March and resolved before the end of April. The security researcher received $15,000 from Google's Vulnerability Rewards Program for his finding. The vulnerability has been demonstrated as a “site isolation break because of double fetch of shared buffer”. 

“We always appreciate working with the research community through our Vulnerability Rewards Program, and thanks to this report we were able to patch the issue in Chrome 90,” a Google spokesman stated The Daily Swig.