From d040c0e677bc7fa3c66e63055930ee27f7fdc842 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 28 Mar 2023 21:53:53 +0200
Subject: [PATCH] Web Cache Deception Methodology

---
 API Key Leaks/README.md       | 12 +++++---
 Web Cache Deception/README.md | 54 +++++++++++++++++++++++++++++++----
 2 files changed, 57 insertions(+), 9 deletions(-)

diff --git a/API Key Leaks/README.md b/API Key Leaks/README.md
index f1c9369..e65d687 100644
--- a/API Key Leaks/README.md	
+++ b/API Key Leaks/README.md	
@@ -23,16 +23,20 @@
 
 ## Tools
 
-- [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
-- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
-- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
+- [momenbasel/KeyFinder](https://github.com/momenbasel/KeyFinder) - is a tool that let you find keys while surfing the web
+- [streaak/keyhacks](https://github.com/streaak/keyhacks) - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid
+- [trufflesecurity/truffleHog](https://github.com/trufflesecurity/truffleHog) - Find credentials all over the place
     ```ps1
     docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
     docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
     trufflehog git https://github.com/trufflesecurity/trufflehog.git
     trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
     ```
-- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
+- [aquasecurity/trivy](https://github.com/aquasecurity/trivy) - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets
+- [projectdiscovery/nuclei-templates](https://github.com/projectdiscovery/nuclei-templates) - Use these templates to test an API token against many API service endpoints
+    ```powershell
+    nuclei -t token-spray/ -var token=token_list.txt
+    ```
     
 ## Exploit
 
diff --git a/Web Cache Deception/README.md b/Web Cache Deception/README.md
index 4171cd6..5645187 100644
--- a/Web Cache Deception/README.md	
+++ b/Web Cache Deception/README.md	
@@ -1,30 +1,51 @@
 # Web Cache Deception
 
+## Summary
+
+* [Tools](#tools)
+* [Exploit](#exploit)
+* [Methodology - Caching Sensitive Data](#methodology---caching-sensitive-data)
+* [Methodology - Caching Custom JavaScript](#methodology---caching-custom-javascript)
+* [CloudFlare Caching](#cloudflare-caching)
+* [Labs](#labs)
+* [References](#references)
+
+
 ## Tools
 
-* [Param Miner - PortSwigger](https://github.com/PortSwigger/param-miner)
+* [PortSwigger/param-miner](https://github.com/PortSwigger/param-miner)
     > This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.
 
 ## Exploit
 
-1. Browser requests `http://www.example.com/home.php/non-existent.css`.
+1. Browser requests a resource such as `http://www.example.com/home.php/non-existent.css`.
 2. Server returns the content of `http://www.example.com/home.php`, most probably with HTTP caching headers that instruct to not cache this page.
 3. The response goes through the proxy.
 4. The proxy identifies that the file has a css extension.
 5. Under the cache directory, the proxy creates a directory named home.php, and caches the imposter "CSS" file (non-existent.css) inside.
 
-## Methodology of the attack - example
 
+## Methodology - Caching Sensitive Data
+
+**Example 1** - Web Cache Deception on PayPal Home Page
 1. Normal browsing, visit home : `https://www.example.com/myaccount/home/`
 2. Open the malicious link : `https://www.example.com/myaccount/home/malicious.css`
 3. The page is displayed as /home and the cache is saving the page
-4. Open a private tab with the previous URL : `https://www.paypal.com/myaccount/home/malicous.css`
+4. Open a private tab with the previous URL : `https://www.example.com/myaccount/home/malicous.css`
 5. The content of the cache is displayed
 
 Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 [![DEMO](https://i.vimeocdn.com/video/674856618.jpg)](https://vimeo.com/249130093)
 
-## Methodology 2
+**Example 2** - Web Cache Deception on OpenAI
+1. Attacker crafts a dedicated .css path of the `/api/auth/session` endpoint.
+2. Attacker distributes the link
+3. Victims visit the legitimate link.
+4. Response is cached.
+5. Attacker harvests JWT Credentials.
+
+
+## Methodology - Caching Custom JavaScript
 
 1. Find an un-keyed input for a Cache Poisoning
     ```js
@@ -49,6 +70,28 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
     <meta property="og:image" content="https://test"><script>alert(1)</script>">
     ```
 
+
+## CloudFlare Caching
+
+CloudFlare caches the resource when the `Cache-Control` header is set to `public` and `max-age` is greater than 0. 
+
+- The Cloudflare CDN does not cache HTML by default
+- Cloudflare only caches based on file extension and not by MIME type: [cloudflare/default-cache-behavior](https://developers.cloudflare.com/cache/about/default-cache-behavior/)
+
+CloudFlare has a list of default extensions that gets cached behind their Load Balancers.
+
+|       |      |      |      |      |       |      |
+|-------|------|------|------|------|-------|------|
+| 7Z    | CSV  | GIF  | MIDI | PNG  | TIF   | ZIP  |
+| AVI   | DOC  | GZ   | MKV  | PPT  | TIFF  | ZST  |
+| AVIF  | DOCX | ICO  | MP3  | PPTX | TTF   | CSS  |
+| APK   | DMG  | ISO  | MP4  | PS   | WEBM  | FLAC |
+| BIN   | EJS  | JAR  | OGG  | RAR  | WEBP  | MID  |
+| BMP   | EOT  | JPG  | OTF  | SVG  | WOFF  | PLS  |
+| BZ2   | EPS  | JPEG | PDF  | SVGZ | WOFF2 | TAR  |
+| CLASS | EXE  | JS   | PICT | SWF  | XLS   | XLSX |
+
+
 ## Labs 
 
 * [PortSwigger Labs for Web cache deception](https://portswigger.net/web-security/all-labs#web-cache-poisoning)
@@ -62,3 +105,4 @@ Video of the attack by Omer Gil - Web Cache Deception Attack in PayPal Home Page
 * [Web cache poisoning - Web Security Academy learning materials](https://portswigger.net/web-security/web-cache-poisoning)
   - [Exploiting cache design flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-design-flaws)
   - [Exploiting cache implementation flaws](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws)
+* [OpenAI Account Takeover - @naglinagli - Mar 24, 2023](https://twitter.com/naglinagli/status/1639343866313601024)