Each year at the beginning of August the world’s best security researchers and hackers get together for two annual security conferences; Black hat and Defcon. Each conference takes place over three days where the latest and greatest new hacking techniques are presented.

One thing is for sure, malicious actors are paying attention, and hope to quickly implement the latest techniques to catch organisations off guard.

AppCheck attends each conference and immediately implements the new techniques within AppCheck’s arsenal of checks and attack methodologies.

To allow you to scan for these new attacks quickly, we have included a scan profile named “Blackhat & Defcon 2018”. By selecting this profile, each target is assessed using just the newly added modules to allow our users to quickly identify these emerging threats without running a complete scan.

Web Cache Poison Attacks

One of the big web application talks at Black Hat this year was James Kettles talk on Web Cache Poison attacks. In brief, web caches such as Nginx, Varnish and Cloudflare determine if they should cache a response based on the URI and the host header (hostname) alone. The combination of these two values makes up what is known as the “cache key”.

Put simply, if two requests have the same URL, the cache believes the two requests are for the exact same resource and will cache the response.

This can become a serious security flaw if a vulnerability such as Cross-Site Scripting exists with a request component such as a HTTP request header or Cookie which are not considered by the cache when determining if a request is unique.

In this scenario, the attacker can embed malicious content within a response to a given URL and have it cached and served to all other users of the application.

Since AppCheck added a plugin for this attack on August 10^th, 2018, there have been an alarming number of vulnerable sites detected, with most being susceptible.

Path normalisation vulnerabilities

Another prominent web application talks this year was Breaking Parser Logic by Orange Tsai. This talk focused on different approaches to exploit components that attempt to validate file paths and URIs before permitting access to a resource. Overall, most of the techniques discussed in this paper are already covered comprehensively by AppCheck with no updates needed.

However, the talk did cover some specific vulnerabilities which would not be detected by default and are included with this update, including;

• A common configuration flaw in Nginx dubbed “off by slash” vulnerability
• Vulnerabilities within the Spring framework and Ruby on Rails (CVE-2018-1271, CVE-2018-3760, CVE-2018-9159)
• Updates to some existing modules to include the presented path parameter technique when attempting to bypass proxies.