What is Web Cache and How Does It Work?
A web cache means storing a rendered content in the web cache service memory instead of the server rendering it repeatedly, making it available to other users. This reduces the server load and delivers the content to the user faster.
Which Addresses to Cache and the Decision Process
Every cache story is based on a key-value relationship. The value is the content itself, and the thing to be cached is produced by the web cache. The key is a value created by combining the protocol, domain, path, and query string. This algorithm produces the key and stores it in memory. If the key does not exist, the request is forwarded to the server.
For example, if you do not have a key, the request is sent to the server, and the server decides whether the returned content is cacheable. If the content is not cacheable, this information is carried in the header.
Cache Attack Vectors
In cache attack vectors, the aim is to inject something into the value to be cached and then show this value to the person who will view the page later. So, how do we know what is cached and what is not?
Sometimes we can understand this intuitively. For example:
You send a request like "https://hkapcblog.com/?reklam=kpc" and the response time is 0.1 seconds. You send the same request again, and this time the response time is 0.03 seconds. This indicates that the request was cached because the time decreased. Another method is to obtain information from the response:
This information is written into the returned response.
Cache and URL Management in Modern Frameworks
Modern frameworks have helpers. For example, in the template engine:
This code is converted by the template engine:
The URL function resolves the "home" tag in the routing data definitions and converts it to the appropriate URL. So where does the "home" tag's domain come from? Almost all modern frameworks use the header of the incoming request. For example, they calculate it from the "host" value. Developers never hardcode links because there are many variable areas.
For example:
X-Forwarded-Host: hkapcblog.com
When this header is added, if the framework’s middle layers see a value named "X-Forwarded-Host", they first evaluate it. This is related to reverse proxies and mappings. For example, the frontend Nginx or load balancer and the backend framework will accept this header value as the host value when generating links and use it as the value produced by helper functions.
Dynamic Content and Cache Management
Sometimes web applications need to dynamically generate JavaScript content asynchronously. For example:
This is no longer a static file but a new endpoint. We need to change the content based on the user’s session. A dynamic JavaScript is generated, creating a dynamic single-page application that needs to be executed by the client’s eval command. If we find a non-keyed value by the cache server while generating this JavaScript, we need to search for something unique in the response.
Using Param Miner
Param Miner can be installed in Burp Suite to search for unkeyed variables like "X-Forwarded" within requests. These variables can be discovered using the guess header method on the request, thus identifying security vulnerabilities.
For example:
GET / http/1.1
X-Forwarded-Host: xss_payload
By adding X-Forwarded-Host like this, the Nginx framework can accept the header value as the host value and use it as the value produced by helper functions when generating links.
Web cache can significantly improve web performance by reducing the server load and delivering content faster. However, cache management must be correctly configured, and potential security vulnerabilities must be carefully considered. Tools provided by modern frameworks and security testing tools like Param Miner play a crucial role in ensuring effective cache management and security. Managing and securing dynamic content is another important aspect that needs attention.
Reference:
MDISEC