Gotta Cache Em All: Bending the Rules of Web Cache Exploitation
Unknown
Black Hat USA 2024 · Day 1 · Briefing
This talk, "Gotta Cache 'em all: Bending the Rules of Web Cache Exploitation," presented at Black Hat USA, delves into the critical security implications arising from discrepancies in how web cache proxies and origin servers parse URLs. The speaker highlights how these subtle differences can be leveraged by attackers to achieve significant vulnerabilities, ranging from the theft of sensitive user information through web cache deception to arbitrary web cache poisoning and ultimately, full website defacement. The core premise revolves around exploiting the "static extension rule" commonly employed by Content Delivery Networks (CDNs) and other caching mechanisms, combined with an origin server's unique URL handling, particularly its interpretation of path parameters.