Lab: Exploiting path delimiters for web cache deception

PRACTITIONER

To solve the lab, find the API key for the user carlos. You can log in to your own account using the following credentials: wiener:peter.

We have provided a list of possible delimiter characters to help you solve the lab: Web cache deception lab delimiter list.

Required knowledge

To solve this lab, you'll need to know:

  • How to identify discrepancies in how the cache and origin server interpret characters as delimiters.
  • How delimiter discrepancies can be used to exploit a static directory cache rule.

These points are covered in our Web cache deception Academy topic.

Solution

Identify a target endpoint

  1. In Burp's browser, log in to the application using the credentials wiener:peter.

  2. Notice that the response contains your API key.

Identify path delimiters used by the origin server

  1. In Proxy > HTTP history, right-click the GET /my-account request and select Send to Repeater.

  2. Go to the Repeater tab. Add an arbitrary segment to the path. For example, change the path to /my-account/abc.

  3. Send the request. Notice the 404 Not Found response with no evidence of caching. This indicates that the origin server doesn't abstract the path to /my-account.

  4. Remove the arbitrary segment and add an arbitrary string to the original path. For example, change the path to /my-accountabc.

  5. Send the request. Notice the 404 Not Found response with no evidence that the response was cached. You'll use this response as a reference to help you identify characters that aren't used as delimiters.

  6. Right-click the request and select Send to Intruder.

  7. Go to the Intruder tab. Make sure that Sniper attack is selected and add a payload position after /my-account as follows: /my-account§§abc.

  8. In the Payloads side panel, under Payload configuration, add a list of characters that may be used as delimiters.

  9. Under Payload encoding, deselect URL-encode these characters.

  10. Click Start attack. The attack runs in a new window.

  11. When the attack finishes, sort the results by Status code. Notice that the ; and ? characters receive a 200 response with your API key. All other characters receive the 404 Not Found response. This indicates that the origin server uses ; and ? as path delimiters.

Investigate path delimiter discrepancies

  1. Go to the Repeater tab that contains the /my-accountabc request.

  2. Add the ? character after /my-account and add a static file extension to the path. For example, update the path to /my-account?abc.js.

  3. Send the request. Notice that the response doesn't contain evidence of caching. This may indicate that the cache also uses ? as a path delimiter.

  4. Repeat this test using the ; character instead of ?. Notice that the response contains the X-Cache: miss header.

  5. Resend the request. Notice that the value of the X-Cache header changes to hit. This indicates that the cache doesn't use ; as a path delimiter and has a cache rule based on the .js static extension. You can use this payload for an exploit.

Craft an exploit

  1. In Burp's browser, click Go to exploit server.

  2. In the Body section, craft an exploit that navigates the victim user carlos to the malicious URL you crafted earlier. Make sure to change the arbitrary string, so the cache creates a unique key and carlos caches their account details instead of receiving your previously cached response:

    <script>document.location="https://YOUR-LAB-ID.web-security-academy.net/my-account;wcd.js"</script>
  3. Click Deliver exploit to victim. When the victim views the exploit, the response they receive is stored in the cache.

  4. Go to the URL that you delivered to carlos:

    https://YOUR-LAB-ID.web-security-academy.net/my-account;wcd.js
  5. Notice that the response includes the API key for carlos. Copy this.

  6. Click Submit solution, then submit the API key for carlos to solve the lab.