{"id":1390,"date":"2024-08-16T00:43:01","date_gmt":"2024-08-16T00:43:01","guid":{"rendered":"https:\/\/hacking.cool\/?p=1390"},"modified":"2024-09-11T03:32:02","modified_gmt":"2024-09-11T03:32:02","slug":"web-cache-poisoning-via-host-header","status":"publish","type":"post","link":"https:\/\/hacking.cool\/atomanya\/web-cache-poisoning-via-host-header\/","title":{"rendered":"Web Cache Poisoning via Host Header"},"content":{"rendered":"
\n
\"\"<\/figure><\/div>\n\n\n

Web Cache Poisoning might sound like something straight out of a security conference talk, but it’s a real threat that can cause serious headaches. Recently, a vulnerability was found on the Shopify theme store website, https:\/\/themes.shopify.com<\/code>, where an attacker could poison the cache by manipulating the Host header<\/strong>.<\/p>\n\n\n\n

What Is Web Cache Poisoning?<\/h4>\n\n\n\n

Let\u2019s break it down:<\/p>\n\n\n\n

    \n
  1. Web Caching<\/strong>: Websites use caching to store copies of web pages or resources, so they can be delivered quickly to users without regenerating them each time.<\/li>\n\n\n\n
  2. The Problem<\/strong>: If an attacker can trick the cache into storing a manipulated version of a page, users might end up seeing this tampered content instead of what they were supposed to get.<\/li>\n\n\n\n
  3. Host Header Exploit<\/strong>: The Host header in an HTTP request tells the server which domain it should respond to. By altering this header, the attacker can force the server to cache a version of the website that includes a fake port number, leading to a dysfunctional site experience.<\/li>\n<\/ol>\n\n\n\n

    How the Attack Works<\/h4>\n\n\n\n

    Here\u2019s how the attack was executed:<\/p>\n\n\n\n

    The Attack: Step-by-Step Breakdown<\/h3>\n\n\n\n

    In this attack, the attacker used a terminal to send repeated requests to https:\/\/themes.shopify.com<\/code> by running the following command:<\/p>\n\n\n\n

    while true; do curl -ik \"https:\/\/themes.shopify.com:443\/?g4mm4=hitthecache\" -H \"Host: themes.shopify.com:1337\" | grep \":1337\"; sleep 0; echo 1; done<\/code><\/p>\n\n\n\n

    This command repeatedly requests the page with an invalid Host header (in this case, using port 1337) and checks if the response includes this poisoned Host header.<\/p>\n\n\n\n

    If the server and caching system do not properly validate the Host header, they might store this incorrect version in the cache. This means that when other users request the page, they could be served the corrupted version instead of the proper one.<\/p>\n\n\n\n

    To verify if the cache had been poisoned, the attacker would run the following command in another terminal:<\/p>\n\n\n\n

    while true; do curl -ik \"https:\/\/themes.shopify.com:443\/\" | grep \":1337\"; done<\/code><\/p>\n\n\n\n

    This command checks if the corrupted Host header (using port 1337) is being served to users.<\/p>\n\n\n\n

    As a result, users visiting https:\/\/themes.shopify.com<\/code> might now see broken images, missing styles, or incorrect links because the website is being served with a port that doesn’t actually exist (e.g., themes.shopify.com:1337). This can cause the site to fail to load resources correctly, leading to a degraded user experience.<\/p>\n\n\n\n

    The Technical Implications<\/h3>\n\n\n\n

    This attack exploits a misconfiguration in how the web server and caching system handle HTTP headers. If the server does not properly validate or sanitize the Host header, it can lead to the entire cache being poisoned. The result is that every user who accesses the site during the period of poisoning receives a broken or manipulated version of the website.<\/p>\n\n\n\n

    Defense Against Web Cache Poisoning<\/h3>\n\n\n\n

    To protect against this kind of attack, it is essential to:<\/p>\n\n\n\n