Web Cache Deception (WCD) tricks a web cache into erroneously storing sensitive content, thereby making it widely accessible on the Internet. In a USENIX Security 2020 paper titled “Cached and Confused: Web Cache Deception in the Wild”, researchers presented the first systematic exploration of the attack over 340 websites. This state-of-the-art approach for WCD detection injects markers into websites and checks for leaks into caches. However, this scheme has two fundamental limitations: 1) It cannot probe websites that do not present avenues for marker injection or reflection. 2) Marker setup is a burdensome process, making large-scale measurements infeasible. More generally, all previous literature on WCD focuses solely on personal information leaks on websites protected behind authentication gates, leaving important gaps in our understanding of the full ramifications of WCD. We expand our knowledge of WCD attacks, their spread, and implications. We propose a novel WCD detection methodology that forgoes testing prerequisites, and utilizes page identicality checks and cache header heuristics to test any website. We conduct a comparative experiment on 404 websites, and show that our scheme identifies over 100 vulnerabilities while “Cached and Confused” is capped at 18. Equipped with a technique unhindered by the limitations of the previous work, we conduct the largest WCD experiment to date on the Alexa Top 10K, and detect 1188 vulnerable websites. We present case studies showing that WCD has consequences well beyond personal information leaks, and that attacks targeting non-authenticated pages are highly damaging.

Web Cache Deception Escalates! / Mirheidari, Seyed Ali; Golinelli, Matteo; Onarlioglu, Kaan; Kirda, Engin; Crispo, Bruno. - ELETTRONICO. - (2022), pp. 179-195. (Intervento presentato al convegno 31st USENIX Security Symposium, Security 2022 tenutosi a Boston nel 10th -12th Aug 2022).

Web Cache Deception Escalates!

Mirheidari, Seyed Ali;Golinelli, Matteo;Crispo, Bruno
2022-01-01

Abstract

Web Cache Deception (WCD) tricks a web cache into erroneously storing sensitive content, thereby making it widely accessible on the Internet. In a USENIX Security 2020 paper titled “Cached and Confused: Web Cache Deception in the Wild”, researchers presented the first systematic exploration of the attack over 340 websites. This state-of-the-art approach for WCD detection injects markers into websites and checks for leaks into caches. However, this scheme has two fundamental limitations: 1) It cannot probe websites that do not present avenues for marker injection or reflection. 2) Marker setup is a burdensome process, making large-scale measurements infeasible. More generally, all previous literature on WCD focuses solely on personal information leaks on websites protected behind authentication gates, leaving important gaps in our understanding of the full ramifications of WCD. We expand our knowledge of WCD attacks, their spread, and implications. We propose a novel WCD detection methodology that forgoes testing prerequisites, and utilizes page identicality checks and cache header heuristics to test any website. We conduct a comparative experiment on 404 websites, and show that our scheme identifies over 100 vulnerabilities while “Cached and Confused” is capped at 18. Equipped with a technique unhindered by the limitations of the previous work, we conduct the largest WCD experiment to date on the Alexa Top 10K, and detect 1188 vulnerable websites. We present case studies showing that WCD has consequences well beyond personal information leaks, and that attacks targeting non-authenticated pages are highly damaging.
2022
31st USENIX Security Symposium (USENIX Security 22)
Boston
USENIX Association
978-1-939133-31-1
Mirheidari, Seyed Ali; Golinelli, Matteo; Onarlioglu, Kaan; Kirda, Engin; Crispo, Bruno
Web Cache Deception Escalates! / Mirheidari, Seyed Ali; Golinelli, Matteo; Onarlioglu, Kaan; Kirda, Engin; Crispo, Bruno. - ELETTRONICO. - (2022), pp. 179-195. (Intervento presentato al convegno 31st USENIX Security Symposium, Security 2022 tenutosi a Boston nel 10th -12th Aug 2022).
File in questo prodotto:
File Dimensione Formato  
sec22-mirheidari.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Creative commons
Dimensione 542.72 kB
Formato Adobe PDF
542.72 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/353402
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 13
  • ???jsp.display-item.citation.isi??? 5
social impact