Cached and Confused: Web Cache Deception in the Wild
Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2020-02 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Seyed Ali Mirheidari Arshad, Sajjad Onarlioglu, Kaan Crispo, Bruno Kirda, Engin Robertson, William |
| description | Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2330261077</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2330261077</sourcerecordid><originalsourceid>FETCH-proquest_journals_23302610773</originalsourceid><addsrcrecordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mQwcU5MzkhNUUjMS1Fwzs9LKy1OTbFSCE9NUgBLKLikJqcWlGTm5ylk5imUAAXCM3NSeBhY0xJzilN5oTQ3g7Kba4izh25BUX5haWpxSXxWfmlRHlAqHmg10DJDA3NzY-JUAQCh6TMI</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2330261077</pqid></control><display><type>article</type><title>Cached and Confused: Web Cache Deception in the Wild</title><source>Free E- Journals</source><creator>Seyed Ali Mirheidari ; Arshad, Sajjad ; Onarlioglu, Kaan ; Crispo, Bruno ; Kirda, Engin ; Robertson, William</creator><creatorcontrib>Seyed Ali Mirheidari ; Arshad, Sajjad ; Onarlioglu, Kaan ; Crispo, Bruno ; Kirda, Engin ; Robertson, William</creatorcontrib><description>Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Applications programs ; Caching ; Confusion ; Critical components ; Cybersecurity ; Empirical analysis ; Internet ; Plug & play</subject><ispartof>arXiv.org, 2020-02</ispartof><rights>2020. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>776,780</link.rule.ids></links><search><creatorcontrib>Seyed Ali Mirheidari</creatorcontrib><creatorcontrib>Arshad, Sajjad</creatorcontrib><creatorcontrib>Onarlioglu, Kaan</creatorcontrib><creatorcontrib>Crispo, Bruno</creatorcontrib><creatorcontrib>Kirda, Engin</creatorcontrib><creatorcontrib>Robertson, William</creatorcontrib><title>Cached and Confused: Web Cache Deception in the Wild</title><title>arXiv.org</title><description>Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.</description><subject>Applications programs</subject><subject>Caching</subject><subject>Confusion</subject><subject>Critical components</subject><subject>Cybersecurity</subject><subject>Empirical analysis</subject><subject>Internet</subject><subject>Plug & play</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>BENPR</sourceid><recordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mQwcU5MzkhNUUjMS1Fwzs9LKy1OTbFSCE9NUgBLKLikJqcWlGTm5ylk5imUAAXCM3NSeBhY0xJzilN5oTQ3g7Kba4izh25BUX5haWpxSXxWfmlRHlAqHmg10DJDA3NzY-JUAQCh6TMI</recordid><startdate>20200214</startdate><enddate>20200214</enddate><creator>Seyed Ali Mirheidari</creator><creator>Arshad, Sajjad</creator><creator>Onarlioglu, Kaan</creator><creator>Crispo, Bruno</creator><creator>Kirda, Engin</creator><creator>Robertson, William</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20200214</creationdate><title>Cached and Confused: Web Cache Deception in the Wild</title><author>Seyed Ali Mirheidari ; Arshad, Sajjad ; Onarlioglu, Kaan ; Crispo, Bruno ; Kirda, Engin ; Robertson, William</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_23302610773</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Applications programs</topic><topic>Caching</topic><topic>Confusion</topic><topic>Critical components</topic><topic>Cybersecurity</topic><topic>Empirical analysis</topic><topic>Internet</topic><topic>Plug & play</topic><toplevel>online_resources</toplevel><creatorcontrib>Seyed Ali Mirheidari</creatorcontrib><creatorcontrib>Arshad, Sajjad</creatorcontrib><creatorcontrib>Onarlioglu, Kaan</creatorcontrib><creatorcontrib>Crispo, Bruno</creatorcontrib><creatorcontrib>Kirda, Engin</creatorcontrib><creatorcontrib>Robertson, William</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Seyed Ali Mirheidari</au><au>Arshad, Sajjad</au><au>Onarlioglu, Kaan</au><au>Crispo, Bruno</au><au>Kirda, Engin</au><au>Robertson, William</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Cached and Confused: Web Cache Deception in the Wild</atitle><jtitle>arXiv.org</jtitle><date>2020-02-14</date><risdate>2020</risdate><eissn>2331-8422</eissn><abstract>Web cache deception (WCD) is an attack proposed in 2017, where an attacker tricks a caching proxy into erroneously storing private information transmitted over the Internet and subsequently gains unauthorized access to that cached data. Due to the widespread use of web caches and, in particular, the use of massive networks of caching proxies deployed by content distribution network (CDN) providers as a critical component of the Internet, WCD puts a substantial population of Internet users at risk. We present the first large-scale study that quantifies the prevalence of WCD in 340 high-profile sites among the Alexa Top 5K. Our analysis reveals WCD vulnerabilities that leak private user data as well as secret authentication and authorization tokens that can be leveraged by an attacker to mount damaging web application attacks. Furthermore, we explore WCD in a scientific framework as an instance of the path confusion class of attacks, and demonstrate that variations on the path confusion technique used make it possible to exploit sites that are otherwise not impacted by the original attack. Our findings show that many popular sites remain vulnerable two years after the public disclosure of WCD. Our empirical experiments with popular CDN providers underline the fact that web caches are not plug & play technologies. In order to mitigate WCD, site operators must adopt a holistic view of their web infrastructure and carefully configure cache settings appropriate for their applications.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2020-02 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_2330261077 |
| source | Free E- Journals |
| subjects | Applications programs Caching Confusion Critical components Cybersecurity Empirical analysis Internet Plug & play |
| title | Cached and Confused: Web Cache Deception in the Wild |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-29T14%3A48%3A51IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Cached%20and%20Confused:%20Web%20Cache%20Deception%20in%20the%20Wild&rft.jtitle=arXiv.org&rft.au=Seyed%20Ali%20Mirheidari&rft.date=2020-02-14&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2330261077%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2330261077&rft_id=info:pmid/&rfr_iscdi=true |