Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
175 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Hidden Web Caches Discovery (2407.16303v1)

Published 23 Jul 2024 in cs.CR

Abstract: Web caches play a crucial role in web performance and scalability. However, detecting cached responses is challenging when web servers do not reliably communicate the cache status through standardized headers. This paper presents a novel methodology for cache detection using timing analysis. Our approach eliminates the dependency on cache status headers, making it applicable to any web server. The methodology relies on sending paired requests using HTTP multiplexing functionality and makes heavy use of cache-busting to control the origin of the responses. By measuring the time it takes to receive responses from paired requests, we can determine if a response is cached or not. In each pair, one request is cache-busted to force retrieval from the origin server, while the other request is not and might be served from the cache, if present. A faster response time for the non-cache-busted request compared to the cache-busted one suggests the first one is coming from the cache. We implemented this approach in a tool and achieved an estimated accuracy of 89.6% compared to state-of-the-art methods based on cache status headers. Leveraging our cache detection approach, we conducted a large-scale experiment on the Tranco Top 50k websites. We identified a significant presence of hidden caches (5.8%) that do not advertise themselves through headers. Additionally, we employed our methodology to detect Web Cache Deception (WCD) vulnerabilities in these hidden caches. We discovered that 1.020 of them are susceptible to WCD vulnerabilities, potentially leaking sensitive data. Our findings demonstrate the effectiveness of our timing analysis methodology for cache discovery and highlight the importance of a tool that does not rely on cache-communicated cache status headers.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (32)
  1. Improving Brumley and Boneh timing attack on unprotected SSL implementations. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS ’05). Association for Computing Machinery, New York, NY, USA, 139–146. https://doi.org/10.1145/1102120.1102140
  2. Daniel J Bernstein. 2005. Cache-timing attacks on AES. (2005).
  3. Mike Bishop. 2022. HTTP/3. RFC 9114. https://doi.org/10.17487/RFC9114
  4. Andrew Bortz and Dan Boneh. 2007. Exposing private information by timing web applications. In Proceedings of the 16th International Conference on World Wide Web (Banff, Alberta, Canada) (WWW ’07). Association for Computing Machinery, New York, NY, USA, 621–628. https://doi.org/10.1145/1242572.1242656
  5. Billy Bob Brumley and Nicola Tuveri. 2011. Remote Timing Attacks Are Still Practical. In Computer Security – ESORICS 2011, Vijay Atluri and Claudia Diaz (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 355–371.
  6. David Brumley and Dan Boneh. 2005. Remote timing attacks are practical. Computer Networks 48, 5 (2005), 701–716. https://doi.org/10.1016/j.comnet.2005.01.010 Web Security.
  7. Host of Troubles: Multiple Host Ambiguities in HTTP Implementations. In ACM Conference on Computer and Communications Security.
  8. Opportunities and Limits of Remote Timing Attacks. ACM Trans. Inf. Syst. Secur. 12, 3, Article 17 (jan 2009), 29 pages. https://doi.org/10.1145/1455526.1455530
  9. A Practical Implementation of the Timing Attack. In Smart Card Research and Applications, Jean-Jacques Quisquater and Bruce Schneier (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 167–182.
  10. Edward W. Felten and Michael A. Schneider. 2000. Timing attacks on Web privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (Athens, Greece) (CCS ’00). Association for Computing Machinery, New York, NY, USA, 25–32. https://doi.org/10.1145/352600.352606
  11. HTTP Semantics. RFC 9110. https://doi.org/10.17487/RFC9110
  12. Nethanel Gelernter and Amir Herzberg. 2015. Cross-Site Search Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 1394–1405. https://doi.org/10.1145/2810103.2813688
  13. Omer Gil. 2017. Web Cache Deception Attack. https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html.
  14. Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 1985–2002. https://www.usenix.org/conference/usenixsecurity20/presentation/van-goethem
  15. Mind the CORS. (Nov. 2023).
  16. I Know Where You’ve Been: Geo-Inference Attacks via the Browser Cache. IEEE Internet Computing 19, 1 (2015), 44–53. https://doi.org/10.1109/MIC.2014.103
  17. James Kettle. 2018. Practical Web Cache Poisoning. PortSwigger Web Security Blog. https://portswigger.net/blog/practical-web-cache-poisoning.
  18. James Kettle. 2020. Web Cache Entanglement: Novel Pathways to Poisoning. PortSwigger Research. https://portswigger.net/research/web-cache-entanglement.
  19. Paul C. Kocher. 1996. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In Advances in Cryptology — CRYPTO ’96, Neal Koblitz (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 104–113.
  20. Cached and Confused: Web Cache Deception in the Wild. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 665–682. https://www.usenix.org/conference/usenixsecurity20/presentation/mirheidari
  21. Web Cache Deception Escalates!. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 179–196. https://www.usenix.org/conference/usenixsecurity22/presentation/mirheidari
  22. Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack. In ACM Conference on Computer and Communications Security.
  23. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings 2019 Network and Distributed System Security Symposium. Internet Society. https://doi.org/10.14722/ndss.2019.23386
  24. Clock Around the Clock: Time-Based Device Fingerprinting. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS ’18). Association for Computing Machinery, New York, NY, USA, 1502–1514. https://doi.org/10.1145/3243734.3243796
  25. Werner Schindler. 2000. A Timing Attack against RSA with the Chinese Remainder Theorem. In Cryptographic Hardware and Embedded Systems — CHES 2000, Çetin K. Koç and Christof Paar (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 109–124.
  26. Werner Schindler. 2002. Optimized timing attacks against public key cryptosystems. Statistics & Risk Modeling 20, 1-4 (2002), 191–210.
  27. Fantastic Timers and Where to Find Them: High-Resolution Microarchitectural Attacks in JavaScript. In Financial Cryptography and Data Security: 21st International Conference, FC 2017, Sliema, Malta, April 3–7, 2017, Revised Selected Papers (Sliema, Malta). Springer-Verlag, Berlin, Heidelberg, 247–267. https://doi.org/10.1007/978-3-319-70972-7_13
  28. Browser history re:visited. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD. https://www.usenix.org/conference/woot18/presentation/smith
  29. Martin Thomson and Cory Benfield. 2022. HTTP/2. RFC 9113. https://doi.org/10.17487/RFC9113
  30. The Clock is Still Ticking: Timing Attacks in the Modern Web. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (Denver, Colorado, USA) (CCS ’15). Association for Computing Machinery, New York, NY, USA, 1382–1393. https://doi.org/10.1145/2810103.2813632
  31. Time Will Tell: Exploiting Timing Leaks Using HTTP Response Headers. In Computer Security – ESORICS 2023, Gene Tsudik, Mauro Conti, Kaitai Liang, and Georgios Smaragdakis (Eds.). Springer Nature Switzerland, Cham, 3–22.
  32. Can You Tell Me the Time? Security Implications of the Server-Timing Header. In Proceedings of MADWeb 2023–Workshop on Measurements, Attacks, and Defenses for the Web. Internet Society.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now