As the security awareness of administrators is increasing, beginner-level vulnerabilities and low-hanging fruits are (hopefully) often detected and avoided, at least for larger internet-facing web applications. However, more advanced vulnerabilities that arise from the deployment of web applications in real-world settings are often forgotten. During the actual deployment of a web application in a real-world setting we have to consider more factors than just the web application itself. That includes the web server (and potentially misconfigurations or default options that administrators might be unaware of) and intermediary systems such as web caches. All these factors combined create a complex environment of different configurations that leave room for vulnerabilities. This module covers three such vulnerabilities:
web cache poisoning which is often the result of discrepancies between web caches and the web application,
host header attacks which can be caused by misconfigured web servers and flaws in the web application, and
session puzzling or
session variable overloading which arises from improper handling of session variables in the web application.
In more detail, this module covers the following:
Web Cache Poisoning:
- What is a web cache and how does it work?
- How can web caches be configured?
- What are keyed & unkeyed parameters and how to identify them?
- Exploiting basic web cache poisoning vulnerabilities
- Using advanced techniques to exploit web cache poisoning vulnerabilities
Host Header Attacks:
- What is the Host header and why is it needed?
- What are override headers?
- Exploiting host header vulnerabilities such as password reset poisoning
- Bypassing flawed host header validation
- What are session variables and why are they needed?
- Exploiting weak session IDs
- Exploiting session puzzling due to insecure defaults
- Exploiting session puzzling due to common session variables
- Exploiting session puzzling due to premature session population
This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the
PwnBox provided in the interactive sections or your virtual machine.
Introduction to HTTP Misconfigurations
With billions of devices relying on it every day, HTTP is one of the most utilized protocols on the Internet. Today, web application security constitutes one the most vital parts of Cyber Security, as it is important to not only look at a web application discretely, but rather holistically in a real-world deployment which includes systems such as web servers and web caches that introduce additional complexity and therefore attack surface.
In this module, we will cover three HTTP attacks that are common in modern web applications. We will discuss these attacks in detail, including how to detect, exploit, and prevent these types of attacks.
Web services that are used by many users utilize web caches to improve performance by reducing the load on the web server. Web caches sit between the client and the web server. They store resources locally after obtaining them from the web server, such that they can serve them from local storage if the same resource is requested again. Thus, the resources do not need to be requested from the web server, reducing the load on the web server. Vulnerabilities that can arise when web servers utilize web caches will be discussed in this module.
Host header is present in any HTTP request since HTTP/1.1. It specifies the hostname and potentially the port of the server to which the request is being sent. When web servers host multiple web applications, the host header is used to determine which web application is targeted by the request and the response is served accordingly. In this module, we will discuss vulnerabilities that can arise from improper handling of the host header in the web application.
Since HTTP is a stateless protocol, sessions are required to provide context for requests. For instance, HTTP sessions are used to perform authenticated actions without having to send credentials in every request. The web application typically identifies the user by their session ID, which the user provides in a session cookie in most cases. On the server side, information about the user is stored in the session variables associated with the corresponding session ID. The last part of this module focuses on vulnerabilities that result from improper handling of session variables.
Web Cache Poisoning
The first HTTP attack discussed in this module is Web Cache Poisoning. This attack exploits misconfigurations in web caches in combination with other vulnerabilities in the underlying web application to target unknowing users. Depending on the specific vulnerability, it might be sufficient for a victim to simply access the targeted website to be exploited. Web cache poisoning can also lead to otherwise unexploitable vulnerabilities being weaponized to target a huge number of potential victims.
Host Header Attacks
The second type of attacks discussed in this module are Host Header Attacks. The HTTP host header contains the host of the accessed domain and is used to tell the server which domain a user wants to access. This is required for instances where a single server serves multiple domains or subdomains so that the server can identify the targeted application. Host header attacks exploit vulnerabilities in the handling of the host header. More specifically, if a web application uses the host header for authorization checks or to construct absolute links, an attacker may be able to manipulate the host header to bypass these checks or force the construction of malicious links.
The third and final attack covered in this module is Session Puzzling. Since HTTP is a stateless protocol, session variables are required to keep track of a wide variety of actions commonly performed in web applications, including authentication. Session puzzling is a vulnerability that results from improper handling of session variables and can lead to authentication bypasses or account takeover. In particular, session puzzling can be the result of the re-use of the same session variable in different processes, the premature population of session variables, or insecure default values for session variables.
Let's get started by discussing the first of these attacks in the next section.